Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ep_setup.exe

Overview

General Information

Sample name:ep_setup.exe
Analysis ID:1578478
MD5:f164888a6fbc646b093f6af6663f4e63
SHA1:3c0bb9f9a4ad9b1c521ad9fc30ec03668577c97c
SHA256:8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Contains functionality to automate explorer (e.g. start an application)
Possible COM Object hijacking
Sigma detected: Explorer NOUACCHECK Flag
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (foreground window change detection)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses taskkill to terminate processes
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w11x64_office
  • ep_setup.exe (PID: 8320 cmdline: "C:\Users\user\Desktop\ep_setup.exe" MD5: F164888A6FBC646B093F6AF6663F4E63)
    • taskkill.exe (PID: 8392 cmdline: "C:\Windows\system32\taskkill.exe" /f /im explorer.exe MD5: 050ED22BB515A81ED6FC73D042CE5DB4)
      • conhost.exe (PID: 8424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
    • sc.exe (PID: 8584 cmdline: "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: FF2A4319FA5531F0D7B98DBBA9ABBD4A)
      • conhost.exe (PID: 8600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
    • sc.exe (PID: 8672 cmdline: "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB MD5: FF2A4319FA5531F0D7B98DBBA9ABBD4A)
      • conhost.exe (PID: 8680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
    • regsvr32.exe (PID: 8724 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll" MD5: AF0CDEF5F6ECB9B8EBEF4E480EBAAA5A)
    • regsvr32.exe (PID: 8744 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll" MD5: AF0CDEF5F6ECB9B8EBEF4E480EBAAA5A)
    • explorer.exe (PID: 8892 cmdline: "C:\Windows\explorer.exe" MD5: E2D1F700066D39814081317462A0FD74)
  • explorer.exe (PID: 9012 cmdline: "C:\Windows\explorer.exe" /NoUACCheck MD5: E2D1F700066D39814081317462A0FD74)
  • WidgetBoard.exe (PID: 3680 cmdline: "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe" -RegisterProcessAsComServer -ServerName:Microsoft.Windows.WidgetBoardServer MD5: FE1C0C15EF5C6C2B0A1508BF23EAD6CE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Explorer NOUACCHECK Flag
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\explorer.exe" /NoUACCheck, CommandLine: "C:\Windows\explorer.exe" /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1316, ProcessCommandLine: "C:\Windows\explorer.exe" /NoUACCheck, ProcessId: 9012, ProcessName: explorer.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-19T19:43:29.659700+010028032742Potentially Bad Traffic192.168.2.244979020.233.83.145443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568FC70 CreateFileW,GetLastError,GetFileSizeEx,GetLastError,CloseHandle,CloseHandle,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptReleaseContext,CloseHandle,12_2_00007FFD6568FC70
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcherJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_setup.exeJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_taskbar.2.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\Windows.UI.ShellCommon.priJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\prisJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\pris\Windows.UI.ShellCommon.en-US.priJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUIJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\AssetsJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub150x150.pngJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub71x71.pngJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote150x150.pngJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote71x71.pngJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\FontsJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\BitMDL2.ttfJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\SkypeUISymbol-Regular.ttfJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherJump to behavior
Source: ep_setup.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\ep_taskbar\ep_taskbar\build\Release\x64\ep_taskbar.2.pdb9 source: ep_setup.exe, 00000001.00000003.11825212657.000001322B9BA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdb source: ep_setup.exe, 00000001.00000003.11824345024.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: explorer.pdbUGP source: explorer.exe, 0000000C.00000003.11854671315.0000000003787000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11866284977.0000000002DF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11940859745.000000000ACC6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host_stub.pdb source: ep_setup.exe, 00000001.00000003.11824140764.0000013228E54000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000001.00000003.11824101655.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StartDocked.pdb source: explorer.exe, 0000000C.00000003.11857940561.0000000003780000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11870699948.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdbb8 source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StartUI.pdb source: ep_setup.exe, 00000001.00000003.11833035066.000001322B9B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11858821436.0000000003785000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11871628442.0000000002DFC000.00000004.00000020.00020000.00000000.sdmp, StartUI_.dll.1.dr
Source: Binary string: GET /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb HTTP/1.1 source: explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Global\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs.pdb] source: explorer.exe, 0000000E.00000003.12143590504.00000000079FA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: explorer.pdb source: explorer.exe, 0000000C.00000003.11854671315.0000000003787000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11866284977.0000000002DF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11940859745.000000000ACC6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: JumpViewUI.pdb source: ep_setup.exe, 00000001.00000003.11830373643.000001322B9B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_gui.pdb source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdb source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: er.pdb source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6534F37452E1r.pdbv source: explorer.exe, 0000000E.00000003.12143590504.0000000007910000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinui.pcshell.pdbUGP source: explorer.exe, 0000000C.00000003.11860676089.0000000003800000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11856615647.000000000378C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11868609315.0000000002DF4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11873625449.0000000002E7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinui.pcshell.pdb source: explorer.exe, 0000000C.00000003.11860676089.0000000003800000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11856615647.000000000378C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11868609315.0000000002DF4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11873625449.0000000002E7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdbR9 source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ExplorerPatcher.amd64.pdb source: ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: StartUI.pdb@ source: ep_setup.exe, 00000001.00000003.11833035066.000001322B9B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11858821436.0000000003785000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11871628442.0000000002DFC000.00000004.00000020.00020000.00000000.sdmp, StartUI_.dll.1.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdbOGP source: ep_setup.exe, 00000001.00000003.11824345024.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_dwm.pdb source: ep_setup.exe, 00000001.00000003.11823535101.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000001.00000003.11823575705.0000013228E56000.00000004.00000020.00020000.00000000.sdmp, ep_dwm.exe.1.dr
Source: Binary string: r.pdb source: explorer.exe, 0000000E.00000003.12143590504.0000000007910000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: JumpViewUI.pdb||#zGCTL source: ep_setup.exe, 00000001.00000003.11830373643.000001322B9B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: xC:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdb464,int)4 source: explorer.exe, 0000000E.00000003.12124763664.0000000010437000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12151803189.0000000010437000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\Win32\ExplorerPatcher.IA-32.pdb source: ep_setup.exe, 00000001.00000003.11822258609.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000001.00000003.11822325754.0000013228E5F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: ep_setup.exe
Source: Binary string: http://msdl.microsoft.com/download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb source: explorer.exe, 0000000E.00000003.12143590504.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12143590504.0000000007910000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ep_taskbar\ep_taskbar\build\Release\x64\ep_taskbar.2.pdb source: ep_setup.exe, 00000001.00000003.11825212657.000001322B9BA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hostmsdl.microsoft.comGET /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb HTTP/1.1 source: explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host.pdb source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000001.00000003.11823886137.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_startmenu.pdb source: ep_setup.exe, 00000001.00000003.11829795440.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566D980 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryExW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,LoadLibraryExW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,12_2_00007FFD6566D980
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565D920 GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,12_2_00007FFD6565D920
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65685AC0 RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetSystemDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,RegDeleteValueW,RegCloseKey,12_2_00007FFD65685AC0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65685070 RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryA,RegCloseKey,RegSetValueExW,RegSetValueExA,RegSetValueExW,RegCloseKey,12_2_00007FFD65685070
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565CE30 CreateFileA,CreateFileMappingW,CloseHandle,MapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,PathRemoveFileSpecA,UnmapViewOfFile,CloseHandle,CloseHandle,FindFirstFileA,FindClose,DeleteFileA,UnmapViewOfFile,CloseHandle,CloseHandle,12_2_00007FFD6565CE30
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656B3948 FindFirstFileExW,12_2_00007FFD656B3948
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565DAC0 SHGetFolderPathW,FindFirstFileW,FindClose,12_2_00007FFD6565DAC0

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exeNetwork Connect: 20.233.83.145 443Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 185.199.110.133 443Jump to behavior
Source: Joe Sandbox ViewIP Address: 20.233.83.145 20.233.83.145
Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.24:49790 -> 20.233.83.145:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65690540 InternetOpenA,InternetOpenUrlA,InternetReadFile,SHGetFolderPathW,CreateDirectoryW,GetLastError,ShellExecuteExW,WaitForSingleObject,CloseHandle,Sleep,DeleteFileW,InternetCloseHandle,InternetCloseHandle,12_2_00007FFD65690540
Source: global trafficHTTP traffic detected: GET /valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe HTTP/1.1User-Agent: ExplorerPatcherHost: github.com
Source: global trafficHTTP traffic detected: GET /valinet/ExplorerPatcher/releases/download/22621.4317.67.1_b93337a/ep_setup.exe HTTP/1.1User-Agent: ExplorerPatcherHost: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/394318710/5e5bb508-cbdc-44fb-9830-5b535df6ab52?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241219%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241219T184209Z&X-Amz-Expires=300&X-Amz-Signature=6d698d818240e4899e410aa379d337e10eebc51c67064cb29ff3b029bc673213&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: ExplorerPatcherConnection: Keep-AliveHost: objects.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: srtb.msn.com
Source: global trafficDNS traffic detected: DNS query: tse1.mm.bing.net
Source: global trafficDNS traffic detected: DNS query: github.com
Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
Source: WidgetBoard.exe, 00000014.00000002.13651394023.00000236E6B35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://adaptivecards.io/schemas/adaptive-card.json
Source: explorer.exe, 0000000E.00000003.12143590504.0000000007864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ep_setup.exeString found in binary or memory: http://www.winimage.com/zLibDll
Source: WidgetBoard.exe, 00000014.00000002.13647627723.00000236E4E5D000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647289234.00000236E4E47000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647993600.00000236E4E88000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650603961.00000236E6B02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649499798.00000236E4EE1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649266539.00000236E4ED0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648200876.00000236E4E9B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650938977.00000236E6B13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648434910.00000236E4EAC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648691521.00000236E4EBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/
Source: explorer.exe, 0000000E.00000003.12143590504.0000000007864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 0000000E.00000003.12143590504.0000000007864000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
Source: ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://api.github.com/repos/valinet/ExplorerPatcher/releases?per_page=1
Source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet)
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher#donate
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/blob/master/CHANGELOG.md
Source: explorer.exeString found in binary or memory: https://github.com/valinet/ExplorerPatcher/discussions
Source: explorer.exeString found in binary or memory: https://github.com/valinet/ExplorerPatcher/discussions/1102
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/discussions/1679
Source: explorer.exeString found in binary or memory: https://github.com/valinet/ExplorerPatcher/issues
Source: ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/issueshttps://github.com/valinet/ExplorerPatcher/discussi
Source: explorer.exeString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases
Source: ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest
Source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe
Source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exev
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/About-advanced-settings
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Configure-updates
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/ExplorerPatcher
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Frequently-asked-questions
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Settings-management
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Simple-Window-Switcher
Source: explorer.exe, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Symbols
Source: ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/SymbolsMicrosoft.Windows.Explorer
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Using-ExplorerPatcher-as-shell-extension
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/valinet/ExplorerPatcher/wiki/Weather
Source: ep_setup.exe, 00000001.00000003.11830373643.000001322B9B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.skype.com/meetnowjoin.winshell&exp=?exp=https://go.skype.com/meetnow.winshellskype:?actio
Source: ep_setup.exe, 00000001.00000003.11827026660.000001322BA74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.skype.com/meetnowlearn.winshell
Source: WidgetBoard.exe, 00000014.00000002.13647627723.00000236E4E5D000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647289234.00000236E4E47000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647993600.00000236E4E88000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650603961.00000236E6B02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649499798.00000236E4EE1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649266539.00000236E4ED0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648200876.00000236E4E9B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650938977.00000236E6B13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648434910.00000236E4EAC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648691521.00000236E4EBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
Source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647627723.00000236E4E5D000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647289234.00000236E4E47000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647993600.00000236E4E88000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650603961.00000236E6B02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649499798.00000236E4EE1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649266539.00000236E4ED0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648200876.00000236E4E9B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650938977.00000236E6B13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648434910.00000236E4EAC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648691521.00000236E4EBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/
Source: explorer.exe, 0000000E.00000003.12143590504.0000000007910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
Source: explorer.exe, 0000000E.00000003.12143590504.0000000007910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.localc
Source: explorer.exe, 0000000E.00000003.12025005518.000000000A757000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12017307599.000000000A757000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12011879661.000000000A757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/5e5bb508-cbdc
Source: ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1
Source: WidgetBoard.exe, 00000014.00000002.13647627723.00000236E4E5D000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647289234.00000236E4E47000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647993600.00000236E4E88000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650603961.00000236E6B02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649499798.00000236E4EE1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649266539.00000236E4ED0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648200876.00000236E4E9B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650938977.00000236E6B13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648434910.00000236E4EAC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648691521.00000236E4EBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949438-4e0c0e0d-67bc-4c76-b75e-e0ffcead3f48.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949442-63f14d44-ec0e-40b2-aa1b-8e4a27ec10f5.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949443-062a0fa9-88c1-4e07-b6b1-8e52ff64f4f3.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949444-d3aea936-4c22-4f17-a201-02155396684d.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949445-60d12efa-a21d-40e0-b9a8-1b7a84e58944.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949447-a6658710-567e-4977-9316-a80007df3076.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949448-cd1b69af-4028-4153-8e40-288526577b58.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949449-9320c6f5-15ef-4c17-9e72-740708f4828c.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949450-7e03a3f5-580e-4414-aaeb-3a0898afd1da.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949451-269d02a3-08cb-4237-9789-f1e60fdc723d.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949452-f347fe27-5005-48f2-9c9a-899bb7b8825e.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949454-81d5d47d-1f33-4859-a112-5a64ceb549a1.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949456-04a4bdbd-ff3b-4484-bb30-8909baff8aa8.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949458-dc66775d-8bb9-4d04-838e-7f550d305c26.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949459-dfe70eba-6c2c-4b1c-b51b-27c13ce7c08c.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949460-7c132d89-efb7-457f-8810-9bf235f5737f.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949461-1f058cf3-6fdd-4aeb-80b7-68fa27b02845.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949462-f50c21dd-85dd-4d9c-a4eb-516e6cddfb1f.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949463-a427edfb-3d7f-4167-bd6f-f5019c482ea1.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156949465-54dd31c6-7e3a-464a-8e64-8b54b6fb7a65.png
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user-images.githubusercontent.com/6503598/156950233-ccaadb4a-2e9a-4934-b41c-acd36a7f0d9c.png
Source: explorer.exe, 0000000E.00000003.12143590504.00000000079FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vsblobprodscussu5shard86.blob.core.windows.net/
Source: explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vsblobprodscussu5shard86.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/212EE6F6E5
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000001.00000003.11823886137.0000013228E3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?hl=%s&q=weather%s%s%s%s%s%s%s%spCoreWebView2ExecuteScriptCompletedHand
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valinet.ro
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valinet.ro)
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65671640 GetModuleFileNameW,PathStripPathW,GetCurrentProcessId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetSystemMetrics,RegGetValueW,RegGetValueW,FindWindowExW,FindWindowExW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,RegSetKeyValueW,SHCreateThread,RegSetKeyValueW,SHCreateThread,LoadLibraryW,RegOpenKeyW,RegCloseKey,LoadLibraryW,LoadLibraryW,GetModuleHandleExW,12_2_00007FFD65671640
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib_orig.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\JumpViewUI_.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6567164012_2_00007FFD65671640
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565E50012_2_00007FFD6565E500
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566869012_2_00007FFD65668690
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6567A12012_2_00007FFD6567A120
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656853F012_2_00007FFD656853F0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568FC7012_2_00007FFD6568FC70
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568F04012_2_00007FFD6568F040
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566D98012_2_00007FFD6566D980
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65666BA012_2_00007FFD65666BA0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65685AC012_2_00007FFD65685AC0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566C59012_2_00007FFD6566C590
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568E62012_2_00007FFD6568E620
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A060412_2_00007FFD656A0604
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566F5E012_2_00007FFD6566F5E0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569054012_2_00007FFD65690540
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569653012_2_00007FFD65696530
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565A4E012_2_00007FFD6565A4E0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656847D012_2_00007FFD656847D0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569084012_2_00007FFD65690840
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568882012_2_00007FFD65688820
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A080812_2_00007FFD656A0808
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656B57F012_2_00007FFD656B57F0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A46C012_2_00007FFD656A46C0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A26F812_2_00007FFD656A26F8
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656751C012_2_00007FFD656751C0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A01C412_2_00007FFD656A01C4
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656601B012_2_00007FFD656601B0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568819012_2_00007FFD65688190
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565E23012_2_00007FFD6565E230
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569F23012_2_00007FFD6569F230
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565C20012_2_00007FFD6565C200
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656520D012_2_00007FFD656520D0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568507012_2_00007FFD65685070
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568E07012_2_00007FFD6568E070
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565B15012_2_00007FFD6565B150
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569F12412_2_00007FFD6569F124
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565E10012_2_00007FFD6565E100
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A03D012_2_00007FFD656A03D0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656AF39412_2_00007FFD656AF394
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566638012_2_00007FFD65666380
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565538012_2_00007FFD65655380
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6567037012_2_00007FFD65670370
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A237412_2_00007FFD656A2374
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569F44812_2_00007FFD6569F448
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568442012_2_00007FFD65684420
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A42BC12_2_00007FFD656A42BC
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566427012_2_00007FFD65664270
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566335012_2_00007FFD65663350
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569F33C12_2_00007FFD6569F33C
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568E31012_2_00007FFD6568E310
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656AB30812_2_00007FFD656AB308
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656522F012_2_00007FFD656522F0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65687D8012_2_00007FFD65687D80
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566FE4012_2_00007FFD6566FE40
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A0E4C12_2_00007FFD656A0E4C
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569EE0412_2_00007FFD6569EE04
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65686DE012_2_00007FFD65686DE0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566CCB012_2_00007FFD6566CCB0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656B5C8C12_2_00007FFD656B5C8C
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656AAC6C12_2_00007FFD656AAC6C
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568DD3012_2_00007FFD6568DD30
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656AED1412_2_00007FFD656AED14
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568BD0012_2_00007FFD6568BD00
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569ECF812_2_00007FFD6569ECF8
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65684CE012_2_00007FFD65684CE0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A1FDC12_2_00007FFD656A1FDC
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65662FD012_2_00007FFD65662FD0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569FFC012_2_00007FFD6569FFC0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565BFA012_2_00007FFD6565BFA0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565EF9012_2_00007FFD6565EF90
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566CF8012_2_00007FFD6566CF80
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65652F6012_2_00007FFD65652F60
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A105812_2_00007FFD656A1058
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569F01C12_2_00007FFD6569F01C
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A4FE812_2_00007FFD656A4FE8
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A3E8412_2_00007FFD656A3E84
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65656F2012_2_00007FFD65656F20
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569EF1012_2_00007FFD6569EF10
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65653EF012_2_00007FFD65653EF0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A0A1412_2_00007FFD656A0A14
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566388012_2_00007FFD65663880
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656AE88012_2_00007FFD656AE880
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656B394812_2_00007FFD656B3948
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566693012_2_00007FFD65666930
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566490012_2_00007FFD65664900
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656ACBAC12_2_00007FFD656ACBAC
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A4B8412_2_00007FFD656A4B84
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656A0C4812_2_00007FFD656A0C48
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65662C2012_2_00007FFD65662C20
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565FBE012_2_00007FFD6565FBE0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569EBEC12_2_00007FFD6569EBEC
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565CAC012_2_00007FFD6565CAC0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65659AA012_2_00007FFD65659AA0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656B9A9812_2_00007FFD656B9A98
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65665B5012_2_00007FFD65665B50
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65657B5012_2_00007FFD65657B50
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65651B2012_2_00007FFD65651B20
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65670AE012_2_00007FFD65670AE0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6569EAE012_2_00007FFD6569EAE0
Source: C:\Windows\explorer.exeCode function: String function: 00007FFD656511B0 appears 172 times
Source: C:\Windows\explorer.exeCode function: String function: 00007FFD656A7C0C appears 61 times
Source: C:\Windows\explorer.exeCode function: String function: 00007FFD6565D290 appears 81 times
Source: C:\Windows\explorer.exeCode function: String function: 00007FFD656740C0 appears 70 times
Source: C:\Windows\explorer.exeCode function: String function: 00007FFD656A7DF4 appears 42 times
Source: ep_setup.exeStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: ep_setup.exe.1.drStatic PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: ep_gui.dll.1.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
Source: ep_setup.exeBinary or memory string: OriginalFilename vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11824384028.0000013228E62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebView2Loader.dll~/ vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11822258609.0000013228E3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11823535101.0000013228E3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_dwm.exe@ vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11833035066.000001322B9B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStartUI.dllj% vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11822864276.0000013228E3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11830373643.000001322B9B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJumpviewUI.dllj% vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_gui.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11823575705.0000013228E56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_dwm.exe@ vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11823886137.0000013228E3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameep_weather_host.exe@ vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11829795440.0000013228E3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11830518926.0000013228E3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJumpviewUI.dllj% vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11824345024.0000013228E3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebView2Loader.dll~/ vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11822325754.0000013228E5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs ep_setup.exe
Source: ep_setup.exe, 00000001.00000003.11829837528.0000013228E62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExplorerPatcher.dll@ vs ep_setup.exe
Source: classification engineClassification label: mal60.evad.winEXE@18/35@4/2
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656935A0 VirtualProtect,GetLastError,FormatMessageA,GetLastError,12_2_00007FFD656935A0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565DCF0 GetWindowsDirectoryW,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,QueryFullProcessImageNameW,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,12_2_00007FFD6565DCF0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566A6C0 CoCreateInstance,CoCreateInstance,12_2_00007FFD6566A6C0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6568E620 SHGetFolderPathW,LoadLibraryExW,FindResourceW,SizeofResource,LoadResource,LockResource,LocalAlloc,FreeResource,VerQueryValueW,LocalFree,LoadStringW,LoadStringW,LoadStringW,GetModuleFileNameW,CreateFileW,CreateFileMappingW,CloseHandle,MapViewOfFile,_invalid_parameter_noinfo,UnmapViewOfFile,CloseHandle,CloseHandle,LoadStringW,LoadStringW,LoadStringW,LoadStringW,LoadStringW,LoadStringW,FreeLibrary,LoadStringW,LoadStringW,LoadStringW,FreeLibrary,12_2_00007FFD6568E620
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Program Files\ExplorerPatcherJump to behavior
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ExplorerPatcherJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8424:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8600:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8680:120:WilError_03
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\explorer.exeJump to behavior
Source: ep_setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")
Source: C:\Users\user\Desktop\ep_setup.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: explorer.exeString found in binary or memory: Could not modify already-installed funchook handle.
Source: unknownProcess created: C:\Users\user\Desktop\ep_setup.exe "C:\Users\user\Desktop\ep_setup.exe"
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: unknownProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /NoUACCheck
Source: unknownProcess created: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe "C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe" -RegisterProcessAsComServer -ServerName:Microsoft.Windows.WidgetBoardServer
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exeJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: cfgmgr32.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: virtdisk.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: smartscreenps.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: servicingcommon.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\sc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\sc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: webview2loader.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winuicohabitation.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.hardwareconfirmator.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: profext.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pnidui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: inputswitch.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: peopleband.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpnapps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winuicohabitation.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.hardwareconfirmator.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: profext.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pnidui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: inputswitch.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: peopleband.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpnapps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cfgmgr32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: idstore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: appextension.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wlidprov.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: deviceassociation.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: applicationframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.shellcommon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: activationclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.web.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: container.policy.manager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pfclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: directxdatabasehelper.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mscms.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rtworkq.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.gaming.input.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: settingshandlers_desktoptaskbar.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: systemsettings.datamodel.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.accessibility.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: switcherdatamodel.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptngc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dmenrollengine.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cflapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: daxexec.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: container.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winbio.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostredirection.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: clipc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msvcp140_app.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1_app.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140_app.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140_app.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1_app.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: vcruntime140_app.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.management.inprocobjects.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: batmeter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: prnfldr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpnclient.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.media.devices.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dxp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: syncreg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: actioncenter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dusmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscobj.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srchadmin.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: synccenter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: imapi2.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: audioses.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dot3api.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ncsi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wcmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: microsoft.internal.frameworkudk.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: microsoft.ui.windowing.core.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: microsoft.internal.frameworkudk.system.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mrm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: marshal.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmcorei.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: microsoft.ui.composition.ossupport.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: d3dcompiler_47.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: marshal.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: microsoft.inputstatemanager.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: microsoft.ui.input.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: themecpl.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dlnashext.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wpdshext.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: microsoft.directmanipulation.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windows.energy.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: microsoft.ui.xaml.internal.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: threadpoolwinrt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wscinterop.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: werconcpl.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: diagnosticdatasettings.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: hcproviders.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ieproxy.dllJump to behavior
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: vcruntime140_1_app.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: widgetboardview.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: d2d1.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: dwmapi.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: windows.staterepositoryclient.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: userenv.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: xmllite.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: powrprof.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: powrprof.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: umpdc.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: execmodelclient.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: execmodelproxy.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: windowsudk.shellcommon.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: appxdeploymentclient.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: capauthz.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: shellcommoncommonproxystub.dll
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeSection loaded: coremessaging.dll
Source: C:\Users\user\Desktop\ep_setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Properties (ExplorerPatcher).lnk.1.drLNK file: ..\..\..\..\..\..\Windows\System32\rundll32.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcherJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_setup.exeJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\WebView2Loader.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\ep_taskbar.2.dllJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\Windows.UI.ShellCommon.priJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\prisJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\pris\Windows.UI.ShellCommon.en-US.priJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUIJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\AssetsJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub150x150.pngJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub71x71.pngJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote150x150.pngJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote71x71.pngJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\FontsJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\BitMDL2.ttfJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDirectory created: C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\SkypeUISymbol-Regular.ttfJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherJump to behavior
Source: ep_setup.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: ep_setup.exeStatic file information: File size 11143168 > 1048576
Source: ep_setup.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xa68600
Source: ep_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ep_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ep_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ep_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ep_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ep_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ep_setup.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: ep_setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\ep_taskbar\ep_taskbar\build\Release\x64\ep_taskbar.2.pdb9 source: ep_setup.exe, 00000001.00000003.11825212657.000001322B9BA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdb source: ep_setup.exe, 00000001.00000003.11824345024.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: explorer.pdbUGP source: explorer.exe, 0000000C.00000003.11854671315.0000000003787000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11866284977.0000000002DF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11940859745.000000000ACC6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host_stub.pdb source: ep_setup.exe, 00000001.00000003.11824140764.0000013228E54000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000001.00000003.11824101655.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StartDocked.pdb source: explorer.exe, 0000000C.00000003.11857940561.0000000003780000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11870699948.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdbb8 source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: StartUI.pdb source: ep_setup.exe, 00000001.00000003.11833035066.000001322B9B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11858821436.0000000003785000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11871628442.0000000002DFC000.00000004.00000020.00020000.00000000.sdmp, StartUI_.dll.1.dr
Source: Binary string: GET /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb HTTP/1.1 source: explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Global\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs.pdb] source: explorer.exe, 0000000E.00000003.12143590504.00000000079FA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: explorer.pdb source: explorer.exe, 0000000C.00000003.11854671315.0000000003787000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11866284977.0000000002DF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11940859745.000000000ACC6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: JumpViewUI.pdb source: ep_setup.exe, 00000001.00000003.11830373643.000001322B9B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_gui.pdb source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdb source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: er.pdb source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6534F37452E1r.pdbv source: explorer.exe, 0000000E.00000003.12143590504.0000000007910000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinui.pcshell.pdbUGP source: explorer.exe, 0000000C.00000003.11860676089.0000000003800000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11856615647.000000000378C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11868609315.0000000002DF4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11873625449.0000000002E7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: twinui.pcshell.pdb source: explorer.exe, 0000000C.00000003.11860676089.0000000003800000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11856615647.000000000378C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11868609315.0000000002DF4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11873625449.0000000002E7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdbR9 source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ExplorerPatcher.amd64.pdb source: ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: StartUI.pdb@ source: ep_setup.exe, 00000001.00000003.11833035066.000001322B9B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11858821436.0000000003785000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11871628442.0000000002DFC000.00000004.00000020.00020000.00000000.sdmp, StartUI_.dll.1.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\WebView2Loader.dll.pdbOGP source: ep_setup.exe, 00000001.00000003.11824345024.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_dwm.pdb source: ep_setup.exe, 00000001.00000003.11823535101.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000001.00000003.11823575705.0000013228E56000.00000004.00000020.00020000.00000000.sdmp, ep_dwm.exe.1.dr
Source: Binary string: r.pdb source: explorer.exe, 0000000E.00000003.12143590504.0000000007910000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: JumpViewUI.pdb||#zGCTL source: ep_setup.exe, 00000001.00000003.11830373643.000001322B9B3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: xC:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdb464,int)4 source: explorer.exe, 0000000E.00000003.12124763664.0000000010437000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12151803189.0000000010437000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\Win32\ExplorerPatcher.IA-32.pdb source: ep_setup.exe, 00000001.00000003.11822258609.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000001.00000003.11822325754.0000013228E5F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_setup.pdb source: ep_setup.exe
Source: Binary string: http://msdl.microsoft.com/download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb source: explorer.exe, 0000000E.00000003.12143590504.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12143590504.0000000007910000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ep_taskbar\ep_taskbar\build\Release\x64\ep_taskbar.2.pdb source: ep_setup.exe, 00000001.00000003.11825212657.000001322B9BA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Hostmsdl.microsoft.comGET /download/symbols/explorer.pdb/598A53662BD73B032010E6534F37452E1/explorer.pdb HTTP/1.1 source: explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_weather_host.pdb source: ep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000001.00000003.11823886137.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\ExplorerPatcher\ExplorerPatcher\build\Release\x64\ep_startmenu.pdb source: ep_setup.exe, 00000001.00000003.11829795440.0000013228E3A000.00000004.00000020.00020000.00000000.sdmp
Source: ep_setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ep_setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ep_setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ep_setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ep_setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: JumpViewUI_.dll.1.drStatic PE information: 0xC8146642 [Fri May 15 14:54:58 2076 UTC]
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566BFE0 LoadLibraryW,GetProcAddress,LoadLibraryW,GetCurrentProcess,K32GetModuleInformation,CreateWindowExW,SetWindowLongPtrW,LoadLibraryW,GetProcAddress,LoadLibraryExW,GetCurrentProcess,K32GetModuleInformation,CreateWindowExW,SetWindowLongPtrW,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,CreateWindowExW,SetWindowLongPtrW,RegGetValueW,GetModuleHandleW,GetProcAddress,LoadLibraryW,12_2_00007FFD6566BFE0
Source: ep_weather_host_stub.dll.1.drStatic PE information: section name: .orpc
Source: WebView2Loader.dll.1.drStatic PE information: section name: .gxfg
Source: WebView2Loader.dll.1.drStatic PE information: section name: .retplne
Source: WebView2Loader.dll.1.drStatic PE information: section name: _RDATA
Source: JumpViewUI_.dll.1.drStatic PE information: section name: .didat
Source: StartUI_.dll.1.drStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"

Persistence and Installation Behavior

barindex
Possible COM Object hijacking
Source: c:\program files\explorerpatcher\ep_weather_host.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{a6ea9c2d-4982-4827-9204-0ac532959f6d}\inprocserver32
Source: c:\program files\explorerpatcher\ep_weather_host_stub.dllCOM Object registered for dropped file: hkey_local_machine\software\classes\clsid\{cdbf3734-f847-4f1b-b953-a605434dc1e7}\inprocserver32
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ep_setup.exeJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\JumpViewUI_.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\WebView2Loader.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ep_taskbar.2.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\JumpViewUI_.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcherJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnkJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65671640 GetModuleFileNameW,PathStripPathW,GetCurrentProcessId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetSystemMetrics,RegGetValueW,RegGetValueW,FindWindowExW,FindWindowExW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,RegSetKeyValueW,SHCreateThread,RegSetKeyValueW,SHCreateThread,LoadLibraryW,RegOpenKeyW,RegCloseKey,LoadLibraryW,LoadLibraryW,GetModuleHandleExW,12_2_00007FFD65671640
Source: C:\Users\user\Desktop\ep_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\explorer.exeCode function: GetForegroundWindow,GetClassNameW,Sleep,GetForegroundWindow,GetClassNameW,GetForegroundWindow,GetClassNameW,Sleep,GetForegroundWindow,GetClassNameW,RegDeleteTreeW,Sleep,12_2_00007FFD6565DEA0
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 483Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 470Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeDropped PE file which has not been started: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_gui.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeDropped PE file which has not been started: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\JumpViewUI_.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_taskbar.2.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_weather_host.dllJump to dropped file
Source: C:\Users\user\Desktop\ep_setup.exeDropped PE file which has not been started: C:\Program Files\ExplorerPatcher\ep_dwm.exeJump to dropped file
Source: C:\Windows\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\explorer.exe TID: 3636Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3636Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65657B50 GetSystemTimeAsFileTime followed by cmp: cmp r15, 02h and CTI: jne 00007FFD65658362h12_2_00007FFD65657B50
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566D980 InitializeCriticalSection,CreateEventW,CreateEventW,CreateEventW,SetEvent,SetEvent,SetEvent,CreateThread,CloseHandle,SHGetFolderPathW,PathFileExistsW,CreateDirectoryW,CreateMutexExW,CreateEventW,CreateEventW,CreateThread,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetCurrentProcess,K32GetModuleInformation,GetModuleHandleW,GetProcAddress,IsOS,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,LoadLibraryW,GetProcAddress,CreateWindowExW,FreeLibraryAndExitThread,SetWindowLongPtrW,FreeLibraryAndExitThread,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,GetModuleHandleW,GetProcAddress,SHELL32_Create_IEnumUICommand,VirtualProtect,VirtualProtect,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryW,GetProcAddress,LoadLibraryExW,GetModuleHandleExW,GetCurrentProcess,K32GetModuleInformation,VirtualProtect,VirtualProtect,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,LoadLibraryExW,GetProcAddress,LoadLibraryExW,IsOS,FreeLibraryAndExitThread,CreateThread,CreateThread,CreateThread,CreateWindowInBand,CreateThread,CreateThread,GetWindowsDirectoryW,FindFirstFileW,FindClose,LoadLibraryW,GetProcAddress,GetLastError,12_2_00007FFD6566D980
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565D920 GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,12_2_00007FFD6565D920
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65685AC0 RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetSystemDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,RegQueryValueExA,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegDeleteTreeW,RegCreateKeyExW,RegDeleteValueW,RegCloseKey,12_2_00007FFD65685AC0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65685070 RegCreateKeyExW,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryW,FindFirstFileW,FindClose,GetWindowsDirectoryA,RegCloseKey,RegSetValueExW,RegSetValueExA,RegSetValueExW,RegCloseKey,12_2_00007FFD65685070
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565CE30 CreateFileA,CreateFileMappingW,CloseHandle,MapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,PathRemoveFileSpecA,UnmapViewOfFile,CloseHandle,CloseHandle,FindFirstFileA,FindClose,DeleteFileA,UnmapViewOfFile,CloseHandle,CloseHandle,12_2_00007FFD6565CE30
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656B3948 FindFirstFileExW,12_2_00007FFD656B3948
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565DAC0 SHGetFolderPathW,FindFirstFileW,FindClose,12_2_00007FFD6565DAC0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65692D90 GetSystemInfo,VirtualAlloc,12_2_00007FFD65692D90
Source: explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000E.00000003.12143590504.0000000007864000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00ge
Source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
Source: explorer.exe, 0000000E.00000003.12143590504.0000000007864000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00.Explorerll
Source: explorer.exe, 0000000E.00000003.11983899185.000000000A7EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000E.00000003.12003123513.000000000A7E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 63}#00000013CCA00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{887c27cf-b658-19ef-a77e-806e6f6e6963}i!
Source: explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW:\x1
Source: C:\Windows\explorer.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65681100 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,12_2_00007FFD65681100
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566BFE0 LoadLibraryW,GetProcAddress,LoadLibraryW,GetCurrentProcess,K32GetModuleInformation,CreateWindowExW,SetWindowLongPtrW,LoadLibraryW,GetProcAddress,LoadLibraryExW,GetCurrentProcess,K32GetModuleInformation,CreateWindowExW,SetWindowLongPtrW,GetCurrentProcess,K32GetModuleInformation,LoadLibraryExW,CreateWindowExW,SetWindowLongPtrW,RegGetValueW,GetModuleHandleW,GetProcAddress,LoadLibraryW,12_2_00007FFD6566BFE0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6567A7B0 GetProcessHeap,12_2_00007FFD6567A7B0
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65690EC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FFD65690EC0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65691BB0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00007FFD65691BB0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656ABA88 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00007FFD656ABA88

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exeNetwork Connect: 20.233.83.145 443Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 185.199.110.133 443Jump to behavior
Contains functionality to automate explorer (e.g. start an application)
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565F4C0 FindWindowW,SendMessageTimeoutW,12_2_00007FFD6565F4C0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65663DA0 FindWindowExW,FindWindowExW,FindWindowExW,SendMessageW,12_2_00007FFD65663DA0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65663880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,12_2_00007FFD65663880
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65663880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,12_2_00007FFD65663880
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65663880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,12_2_00007FFD65663880
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65663880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,12_2_00007FFD65663880
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65663880 GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,FindWindowExW,FindWindowExW,FindWindowW,FindWindowExW,FindWindowExW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,SetCursorPos,FindWindowW,PostMessageW,PostMessageW,FindWindowExW,FindWindowW,GetCursorPos,GetCursorPos,MonitorFromPoint,FindWindowExW,MonitorFromWindow,MonitorFromPoint,GetMonitorInfoW,FindWindowExW,MonitorFromWindow,GetMonitorInfoW,GetWindowRect,SetCursorPos,FindWindowExW,PostMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SendMessageCallbackW,PostMessageW,12_2_00007FFD65663880
Source: C:\Windows\explorer.exeCode function: GetModuleFileNameW,PathStripPathW,GetCurrentProcessId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetSystemMetrics,RegGetValueW,RegGetValueW,FindWindowExW,FindWindowExW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,RegSetKeyValueW,SHCreateThread,RegSetKeyValueW,SHCreateThread,LoadLibraryW,RegOpenKeyW,RegCloseKey,LoadLibraryW,LoadLibraryW,GetModuleHandleExW, \explorer.exe12_2_00007FFD65671640
Source: C:\Windows\explorer.exeCode function: Sleep,GetWindowsDirectoryW,CreateProcessW,FreeConsole,GetCurrentProcessId,OpenProcess,TerminateProcess, \explorer.exe12_2_00007FFD6568FAB0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65670370 SetProcessDpiAwarenessContext,GetModuleFileNameW,GetCurrentDirectoryW,GetModuleHandleW,ShellExecuteExW,GetLastError,LoadStringW,LoadStringW,MessageBoxW,GetModuleFileNameW,GetLastError,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,PathRemoveExtensionW,PathRemoveExtensionW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,12_2_00007FFD65670370
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exeJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" Jump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /f /im explorer.exeJump to behavior
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565E860 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,GetLengthSid,CopySid,DeriveAppContainerSidFromAppContainerName,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,CreateMutexExW,FreeSid,12_2_00007FFD6565E860
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6565D7C0 AllocateAndInitializeSid,CheckTokenMembership,GetLastError,FreeSid,12_2_00007FFD6565D7C0
Source: ep_setup.exe, 00000001.00000003.11825212657.000001322B9BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ClockButtonTrayClockWClassintlshell\explorer\ClockButton.cppShell_TrayWndShowSecondsInSystemClockSoftware\Microsoft\Windows\CurrentVersion\Explorer\AdvancedControl Panel\TimeDate\AdditionalClocks\%uEnableDisplayNameTzRegKeyName ()
Source: ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: Progman: %d
Source: ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: Progman hook: %d
Source: explorer.exe, 0000000C.00000003.11854671315.0000000003787000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11866284977.0000000002DF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11940859745.000000000ACC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanProxy DesktopLocal\ExplorerIsShellMutex58
Source: explorer.exeBinary or memory string: Shell_TrayWnd
Source: ep_setup.exeBinary or memory string: runasExplorerPatcherntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRShell_TrayWnd\explorer.exeopenep_taskbar.0.dllep_taskbar.1.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\ExplorerFrame.dll (ExplorerPatcher).lnk\shell32.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcherUninstallStringDisplayNameVALINET Solutions SRLPublisherNoModifyNoRepair\ExplorerPatcher.amd64.dll%d.%d.%d.%dDisplayVersionVersionMajorVersionMinorDisplayIcon\ExplorerPatcher\cleanup_.tmp.preven-USmuipriep_taskbar.0.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\*.../extractIsWow64Process2kernel32.dllx64ARM64/uninstall/uninstall_silentep_uninstall.exe/update_silentUndockingDisabledSOFTWARE\Microsoft\Windows\CurrentVersion\Shell\Update\PackagesGlobal\ep_setup_D17F1E1A-5919-4427-8F89-A1A8503CA3EB/f /im explorer.exeGlobal\ep_dwm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}Software\ExplorerPatcherOpenPropertiesAtNextStartep_setup.exeSOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}\InProcServer32\ExplorerPatcher\ExplorerPatcher.amd64.dll"\regsvr32.exeExplorerPatcher.IA-32.dllExplorerPatcher.IA-32.dllExplorerPatcher.amd64.dllExplorerPatcher.amd64.dllep_gui.dllep_gui.dllep_dwm.exeep_dwm.exeep_weather_host.dllep_weather_host.dllep_weather_host_stub.dllep_weather_host_stub.dllWebView2Loader.dllWebView2Loader.dllar-SAbg-BGca-EScs-CZda-DKde-DEel-GRen-GBes-ESes-MXet-EEeu-ESfi-FIfr-CAfr-FRgl-EShe-ILhr-HRhu-HUid-IDit-ITja-JPko-KRlt-LTlv-LVnb-NOnl-NLpl-PLpt-BRpt-PTro-ROru-RUsk-SKsl-SIsr-Latn-RSsv-SEth-THtr-TRuk-UAvi-VNzh-CNzh-TWprisStartUIWindows.UI.ShellCommon.pripnidui/Windows.UI.ShellCommon/pnidui.dllpnidui/pnidui.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{C2796011-81BA-4148-8FCA-C6643245113F}AutoStartdxgi.dll\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewywincorlib.dllep_startmenu.dllwincorlib_orig.dll\wincorlib.dll\wincorlib_orig.dllJumpViewUI_.dllJumpViewUI/JumpViewUI.dllStartUI_.dllStartUI/StartUI.dllAppResolverLegacy.dllStartTileDataLegacy.dll\en-USStartTileDataLegacy.dll.mui\pris2Windows.UI.ShellCommon.en-US.pri\SystemApps\ShellExperienceHost_cw5n1h2txyewy\rundll32.exe "\ExplorerPatcher\ep_gui.dll",ZZGUI\ExplorerPatcher\ep_setup.exe" /uninstallstart ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EBdelete ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB\ExplorerPatcher\ep_weather_host.dll"\ExplorerPatcher\ep_weather_host_stub.dll"SOFTWARE\Policies\Microsoft\Windows\ExplorerSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\cleanupSOFTWARE\Microsoft\Windows\CurrentVersion\RunOncecmd /c rmdir /s /q ""ExplorerPatcherCleanupIsUpdatePendingrbr+bwb1.3.1.1-motley unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll@
Source: explorer.exeBinary or memory string: Progman
Source: ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eptmpw+Unknown exceptionbad array new lengthSoftware\ExplorerPatcherLanguageen-USvector too long\Shell_TrayWnd
Source: explorer.exe, 0000000C.00000003.11854671315.0000000003787000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11866284977.0000000002DF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11940859745.000000000ACC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %s%sLocal\AppReadinessCompletionEventAssignedAccessConfigurationSOFTWARE\Microsoft\Windows\AssignedAccessConfigurationShell_TrayWndVersion%s\%sUserStateSoftware\Microsoft\Windows\CurrentVersion\AppReadinessAppReadinessServicesActiveConfigsGroupConfigsGlobalProfileIdSOFTWARE\Microsoft\Windows Embedded\LockdownPostAppInstallTasksCompletedMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewyWaitOnShellStartupntdll.dllRtlIsStateSeparationEnabledEnable Balloon TipStartLayoutReadyEventAppResolverReadyEventLocal\ShellStartupEventShellDesktopSwitchEventReuseImmersiveShellPointerShowOnlyQuickLaunchDeskBandAllLogonTasksTerminateShellApplicationsTestUnlockDataTestQueryDataTestReportelapsedTimeRestartSavedAppstesterrorslogversion
Source: ep_setup.exe, 00000001.00000003.11822258609.0000013228E3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRShell_TrayWnd\explorer.exe\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dllep_taskbar.0.dllep_taskbar.1.dllep_taskbar.2.dllep_taskbar.3.dllep_taskbar.4.dllep_taskbar.5.dll\ExplorerPatcher\ImmersiveContextMenuArray[ROD]: Level %d Position %d/%d Status %d
Source: explorer.exeBinary or memory string: Progman: %d
Source: explorer.exeBinary or memory string: Progman hook: %d
Source: explorer.exe, 0000000C.00000003.11860676089.0000000003800000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.11856615647.000000000378C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.11868609315.0000000002DF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndIsAutoHideEnabledUndockedSearchAppExperienceManager_PositionSearchAppWindowLauncherInvokeActivitySetViewPosition~,B;+,,N
Source: ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: Microsoft-Symbol-Server/10.0.10036.206msdl.microsoft.comabcdefghijklmnopqrstuvwxyzProgmanProxy Desktop\explorer.exeopenInputSwitch.dllxx??x??xxx????xxD8t
Source: ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: Shlwapi.dllSHRegGetValueFromHKCUHKLMShell_TrayWndntdll.dllRtlGetVersion\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersionUBRMicrosoft.Windows.ShellManagedWindowAsNormalWindowShell_SecondaryTrayWndvalinet.ExplorerPatcher.ShellManagedWindowExplorerFrame.dllDesktopSHELLDLL_DefViewWorkerWComctl32.dllLoadIconWithScaleDownwin32u.dllNtUserBuildHwndListuser32.dllHungWindowFromGhostWindowGhostWindowFromHungWindowSetWindowCompositionAttributeCreateWindowInBandGetWindowBandSetWindowBandIsTopLevelWindowInternalGetWindowTextInternalGetWindowIconuxtheme.dllshcore.dll
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD656B98E0 cpuid 12_2_00007FFD656B98E0
Source: C:\Windows\explorer.exeCode function: CoCreateInstance,IUnknown_QueryService,FindWindowW,GetPropW,GetThreadUILanguage,GetLocaleInfoW,12_2_00007FFD656893F0
Source: C:\Windows\explorer.exeCode function: RegCreateKeyExW,RegQueryValueExW,GetLocaleInfoW,GetLocaleInfoW,SetThreadPreferredUILanguages,RegCloseKey,12_2_00007FFD65674E90
Source: C:\Users\user\Desktop\ep_setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ep_setup.exeCode function: 1_2_00007FF611E98E6C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00007FF611E98E6C
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD6566A5A0 SHBindToObject,12_2_00007FFD6566A5A0
Source: C:\Windows\explorer.exeCode function: 12_2_00007FFD65690840 SHParseDisplayName,SHBindToParent,CreatePopupMenu,TrackPopupMenuEx,RegQueryValueW,RegGetValueW,GetMenuItemInfoW,RegQueryValueW,RegGetValueW,GetMenuItemInfoW,InsertMenuItemW,InsertMenuItemW,InsertMenuItemW,GetMenuItemInfoW,DestroyMenu,CoTaskMemFree,12_2_00007FFD65690840

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		11
Input Capture		11
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		1
Component Object Model Hijacking		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory2
File and Directory Discovery		Remote Desktop Protocol11
Input Capture		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter		2
Windows Service		1
Component Object Model Hijacking		1
Obfuscated Files or Information		Security Account Manager35
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution		1
Registry Run Keys / Startup Folder		2
Windows Service		1
Timestomp		NTDS41
Security Software Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script122
Process Injection		1
DLL Side-Loading		LSA Secrets2
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Registry Run Keys / Startup Folder		23
Masquerading		Cached Domain Credentials3
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Virtualization/Sandbox Evasion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job122
Process Injection		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Regsvr32		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578478 Sample: ep_setup.exe Startdate: 19/12/2024 Architecture: WINDOWS Score: 60 40 www.msn.com 2->40 42 tse1.mm.bing.net 2->42 44 4 other IPs or domains 2->44 52 Possible COM Object hijacking 2->52 54 Sigma detected: Explorer NOUACCHECK Flag 2->54 8 ep_setup.exe 9 36 2->8         started        11 explorer.exe 47 160 2->11         started        15 WidgetBoard.exe 2->15         started        signatures3 process4 dnsIp5 32 C:\Program Files\...\ep_weather_host_stub.dll, PE32+ 8->32 dropped 34 C:\Program Files\...\ep_weather_host.dll, PE32+ 8->34 dropped 36 C:\Windows\dxgi.dll, PE32+ 8->36 dropped 38 12 other files (none is malicious) 8->38 dropped 17 explorer.exe 3 1 8->17         started        20 taskkill.exe 1 8->20         started        22 sc.exe 1 8->22         started        24 3 other processes 8->24 46 github.com 20.233.83.145, 443, 49790, 49792 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->46 48 objects.githubusercontent.com 185.199.110.133, 443, 49794 FASTLYUS Netherlands 11->48 56 System process connects to network (likely due to code injection or exploit) 11->56 file6 signatures7 process8 signatures9 50 Contains functionality to automate explorer (e.g. start an application) 17->50 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ep_setup.exe8%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\WebView2Loader.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_dwm.exe3%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_gui.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_setup.exe8%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_taskbar.2.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host.dll0%ReversingLabs
C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll3%ReversingLabs
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\JumpViewUI_.dll0%ReversingLabs
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll0%ReversingLabs
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll0%ReversingLabs
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dll0%ReversingLabs
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dll0%ReversingLabs
C:\Windows\dxgi.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
github.com
20.233.83.145
truefalse
    		high
    ax-0001.ax-msedge.net
    		150.171.28.10
    		truefalse
      		high
      objects.githubusercontent.com
      		185.199.110.133
      		truefalse
        		high
        srtb.msn.com
        		unknown
        		unknownfalse
          		high
          tse1.mm.bing.net
          		unknown
          		unknownfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://user-images.githubusercontent.com/6503598/156949459-dfe70eba-6c2c-4b1c-b51b-27c13ce7c08c.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://login.microsoftonline.com/explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647627723.00000236E4E5D000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647289234.00000236E4E47000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647993600.00000236E4E88000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650603961.00000236E6B02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649499798.00000236E4EE1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649266539.00000236E4ED0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648200876.00000236E4E9B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650938977.00000236E6B13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648434910.00000236E4EAC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648691521.00000236E4EBF000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://www.valinet.ro)ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://adaptivecards.io/schemas/adaptive-card.jsonWidgetBoard.exe, 00000014.00000002.13651394023.00000236E6B35000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://signup.live.com/WidgetBoard.exe, 00000014.00000002.13647627723.00000236E4E5D000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647289234.00000236E4E47000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647993600.00000236E4E88000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650603961.00000236E6B02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649499798.00000236E4EE1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649266539.00000236E4ED0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648200876.00000236E4E9B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650938977.00000236E6B13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648434910.00000236E4EAC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648691521.00000236E4EBF000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://go.skype.com/meetnowlearn.winshellep_setup.exe, 00000001.00000003.11827026660.000001322BA74000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://user-images.githubusercontent.com/6503598/156949442-63f14d44-ec0e-40b2-aa1b-8e4a27ec10f5.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/valinetep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://user-images.githubusercontent.com/6503598/156949445-60d12efa-a21d-40e0-b9a8-1b7a84e58944.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://user-images.githubusercontent.com/6503598/156949452-f347fe27-5005-48f2-9c9a-899bb7b8825e.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://user-images.githubusercontent.com/6503598/156949451-269d02a3-08cb-4237-9789-f1e60fdc723d.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://user-images.githubusercontent.com/6503598/156949465-54dd31c6-7e3a-464a-8e64-8b54b6fb7a65.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://login.windows.local/explorer.exe, 0000000E.00000003.12143590504.0000000007910000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://aka.ms/Vh5j3kexplorer.exe, 0000000E.00000003.12143590504.0000000007864000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/5e5bb508-cbdcexplorer.exe, 0000000E.00000003.12025005518.000000000A757000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12017307599.000000000A757000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12011879661.000000000A757000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://account.live.com/WidgetBoard.exe, 00000014.00000002.13647627723.00000236E4E5D000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647289234.00000236E4E47000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13647993600.00000236E4E88000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650603961.00000236E6B02000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649499798.00000236E4EE1000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13649266539.00000236E4ED0000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648200876.00000236E4E9B000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13650938977.00000236E6B13000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648434910.00000236E4EAC000.00000004.00000020.00020000.00000000.sdmp, WidgetBoard.exe, 00000014.00000002.13648691521.00000236E4EBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/odirmexplorer.exe, 0000000E.00000003.12143590504.0000000007864000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://user-images.githubusercontent.com/6503598/156949438-4e0c0e0d-67bc-4c76-b75e-e0ffcead3f48.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1ep_setup.exe, 00000001.00000003.11833924594.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpfalse
                                                  		high
                                                  https://www.google.com/search?hl=%s&q=weather%s%s%s%s%s%s%s%spCoreWebView2ExecuteScriptCompletedHandep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmp, ep_setup.exe, 00000001.00000003.11823886137.0000013228E3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://user-images.githubusercontent.com/6503598/156949444-d3aea936-4c22-4f17-a201-02155396684d.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/explorer.exe, 0000000E.00000003.12160188405.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12062804617.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12104924851.0000000007A59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12152136805.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000003.12139286268.0000000007A52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://user-images.githubusercontent.com/6503598/156949443-062a0fa9-88c1-4e07-b6b1-8e52ff64f4f3.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://user-images.githubusercontent.com/6503598/156949461-1f058cf3-6fdd-4aeb-80b7-68fa27b02845.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.valinet.roep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://user-images.githubusercontent.com/6503598/156949449-9320c6f5-15ef-4c17-9e72-740708f4828c.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/valinet)ep_setup.exe, 00000001.00000003.11823232661.000001322B7B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://user-images.githubusercontent.com/6503598/156949458-dc66775d-8bb9-4d04-838e-7f550d305c26.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://login.windows.localcexplorer.exe, 0000000E.00000003.12143590504.0000000007910000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://user-images.githubusercontent.com/6503598/156949462-f50c21dd-85dd-4d9c-a4eb-516e6cddfb1f.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://user-images.githubusercontent.com/6503598/156949448-cd1b69af-4028-4153-8e40-288526577b58.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.winimage.com/zLibDllep_setup.exefalse
                                                                            		high
                                                                            https://user-images.githubusercontent.com/6503598/156949450-7e03a3f5-580e-4414-aaeb-3a0898afd1da.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://user-images.githubusercontent.com/6503598/156949456-04a4bdbd-ff3b-4484-bb30-8909baff8aa8.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://user-images.githubusercontent.com/6503598/156949460-7c132d89-efb7-457f-8810-9bf235f5737f.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://user-images.githubusercontent.com/6503598/156949447-a6658710-567e-4977-9316-a80007df3076.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://user-images.githubusercontent.com/6503598/156949463-a427edfb-3d7f-4167-bd6f-f5019c482ea1.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://user-images.githubusercontent.com/6503598/156950233-ccaadb4a-2e9a-4934-b41c-acd36a7f0d9c.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://user-images.githubusercontent.com/6503598/156949454-81d5d47d-1f33-4859-a112-5a64ceb549a1.pngep_setup.exe, 00000001.00000003.11823830987.000001322B6B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          20.233.83.145
                                                                                          		github.comUnited States
                                                                                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                          185.199.110.133
                                                                                          		objects.githubusercontent.comNetherlands
                                                                                          		54113FASTLYUSfalse

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1578478
                                                                                          Start date and time:2024-12-19 19:42:08 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 10m 37s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                                                                                          Run name:Run with higher sleep bypass
                                                                                          Number of analysed new started processes analysed:45
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:ep_setup.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal60.evad.winEXE@18/35@4/2
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 50%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 72%
                                                                                          • Number of executed functions: 53
                                                                                          • Number of non-executed functions: 186
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe
                                                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, SearchHost.exe, SIHClient.exe, appidcertstorecheck.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, ShellExperienceHost.exe, conhost.exe, StartMenuExperienceHost.exe, mobsync.exe, svchost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 23.218.208.109, 204.79.197.203, 204.79.197.219, 20.209.194.1, 20.209.117.33, 20.209.116.33, 20.150.79.68, 20.150.70.36, 20.150.38.228, 20.150.38.4, 20.223.35.26, 104.126.116.104, 104.126.37.171, 20.12.23.50, 40.126.53.19
                                                                                          • Excluded domains from analysis (whitelisted): blob.sat09prdstrz08a.trafficmanager.net, slscr.update.microsoft.com, msdl-microsoft-com.a-0016.a-msedge.net, cxcs.microsoft.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, msdl.microsoft.com, vsblobprodscussu5shard73.blob.core.windows.net, a-0016.a-msedge.net, login.live.com, th.bing.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, c.pki.goog, www.bing.com, client.wns.windows.com, fs.microsoft.com, fd.api.iris.microsoft.com, a-0003.a-msedge.net, ctldl.windowsupdate.com, blob.sat12prdstrz10a.store.core.windows.net, www-msn-com.a-0003.a-msedge.net, x1.c.lencr.org, blob.sat12prdstrz10a.trafficmanager.net, vsblobprodscussu5shard86.blob.core.windows.net, mm-mm.bing.net.trafficmanager.net, blob.sat09prdstrz08a.store.core.windows.net, res.public.onecdn.static.microsoft, msdl.microsoft.akadns.net, vsblobprodscussu5shard82.blob.core.windows.net, blob.sat09prdstr04a.store.core.windows.net
                                                                                          • Execution Graph export aborted for target ep_setup.exe, PID 8320 because there are no executed function
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                          • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                          • Report size getting too big, too many NtOpenKey calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                          • VT rate limit hit for: ep_setup.exe

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          19:43:20Task SchedulerRun new task: CreateExplorerShellUnelevatedTask path: C:\Windows\explorer.exe s>/NoUACCheck

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          20.233.83.145Y5kEUsYDFr.exeGet hashmaliciousUnknownBrowse
                                                                                          • github.com/keygroup777-Ransomware/DOWNLOADER/raw/refs/heads/main/telefron.exe
                                                                                          185.199.110.133sys_upd.ps1Get hashmaliciousUnknownBrowse
                                                                                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                          cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
                                                                                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                          cr_asm_phshop..ps1Get hashmaliciousUnknownBrowse
                                                                                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                          cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                          xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                                                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                          Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                          SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                                          • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          github.comhttps://pdf.ac/3eQ2mdGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                          • 140.82.112.3
                                                                                          file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                                                          • 140.82.121.4
                                                                                          Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                                                                          • 20.233.83.145
                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYSBrowse
                                                                                          • 20.233.83.145
                                                                                          https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msiGet hashmaliciousUnknownBrowse
                                                                                          • 20.233.83.145
                                                                                          file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYSBrowse
                                                                                          • 20.233.83.145
                                                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                          • 20.233.83.145
                                                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                                                          • 20.233.83.145
                                                                                          main.exeGet hashmaliciousUnknownBrowse
                                                                                          • 20.233.83.145
                                                                                          objects.githubusercontent.comhttps://pdf.ac/3eQ2mdGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                          • 185.199.108.133
                                                                                          https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msiGet hashmaliciousUnknownBrowse
                                                                                          • 185.199.108.133
                                                                                          in.exeGet hashmaliciousBabadeda, HTMLPhisherBrowse
                                                                                          • 185.199.111.133
                                                                                          https://github.com/greenshot/greenshot/releases/download/Greenshot-RELEASE-1.2.10.6/Greenshot-INSTALLER-1.2.10.6-RELEASE.exeGet hashmaliciousUnknownBrowse
                                                                                          • 185.199.108.133
                                                                                          Dfim58cp4J.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                          • 185.199.110.133
                                                                                          QlyOUFGIFB.exeGet hashmaliciousMicroClipBrowse
                                                                                          • 185.199.111.133
                                                                                          Cooperative Agreement0000800380.docx.exeGet hashmaliciousBabadeda, Blank GrabberBrowse
                                                                                          • 185.199.109.133
                                                                                          https://github.com/kernelwernel/VMAware/releases/download/v1.9/vmaware64.exeGet hashmaliciousUnknownBrowse
                                                                                          • 185.199.108.133
                                                                                          SplpM1fFkV.exeGet hashmaliciousUnknownBrowse
                                                                                          • 185.199.109.133
                                                                                          ax-0001.ax-msedge.nethttps://pdf.ac/3eQ2mdGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                          • 150.171.28.10
                                                                                          IzFEtXcext.dllGet hashmaliciousUnknownBrowse
                                                                                          • 150.171.27.10
                                                                                          slifdgjsidfg19.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                          • 150.171.28.10
                                                                                          1AqzGcCKey.exeGet hashmaliciousQuasarBrowse
                                                                                          • 150.171.27.10
                                                                                          kqeGVKtpy2.exeGet hashmaliciousQuasarBrowse
                                                                                          • 150.171.28.10
                                                                                          22054200882739718047.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                          • 150.171.27.10
                                                                                          bPkG0wTVon.exeGet hashmaliciousUnknownBrowse
                                                                                          • 150.171.27.10
                                                                                          https://pdf.ac/4lLzbtGet hashmaliciousUnknownBrowse
                                                                                          • 150.171.28.10
                                                                                          https://www.bing.com/ck/a?!&&p=24da94b1cbc4e30be5abd9acb5737b3bdb775a56c39aac0141dd9c17c937dea1JmltdHM9MTczMzI3MDQwMA&ptn=3&ver=2&hsh=4&fclid=1bf8b81c-3b95-652f-24ec-ad573a81643b&u=a1aHR0cHM6Ly93d3cueXV4aW5na2V0YW5nLmNvbS9jb2xsZWN0aW9ucy90aHJvdy1ibGFua2V0cw#aHR0cHM6Ly9Uby5lZW1qaGl1bHoucnUvek83UkZORy8=Get hashmaliciousUnknownBrowse
                                                                                          • 150.171.28.10

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          FASTLYUSbad.txtGet hashmaliciousAsyncRATBrowse
                                                                                          • 199.232.214.172
                                                                                          (Lhambright)VWAV.htmlGet hashmaliciousUnknownBrowse
                                                                                          • 151.101.194.137
                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                          • 185.199.109.133
                                                                                          EFT Remittance_(Dmorris)CQDM.htmlGet hashmaliciousUnknownBrowse
                                                                                          • 151.101.66.137
                                                                                          Timesheet ACH-Tbconsulting.November 16, 2024.htmlGet hashmaliciousUnknownBrowse
                                                                                          • 151.101.2.137
                                                                                          https://whtt.termlicari.ru/HnkNbg/Get hashmaliciousUnknownBrowse
                                                                                          • 151.101.2.137
                                                                                          https://go.eu.sparkpostmail1.com/f/a/lgobNkIfvQXGgmbryxpFvQ~~/AAGCxAA~/RgRpPCorP0QoaHR0cHM6Ly9iZXJhemVsLmNvbS93ZWxsbmVzcy9zb3V0aC9pbmRleFcFc3BjZXVCCmdVK6VZZ3GvOmFSFmV0aGFubG9nYW40M0BnbWFpbC5jb21YBAAAAAE~#a3RhdHJvZUBob3VzaW5nY2VudGVyLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 199.232.168.159
                                                                                          https://gmail.net-login.com/Xb1Rnb3pKRC9CUEdpbldIVTREbHhIK1Vza1NvaWlrblBIbkN4aUdCZUt0Y2NlSGJiWmZ2d0M1dTB5dEpRbnRoVDdBVkFTcEJqWGowNVZycWJNWHlIUHlLOG1qS0FvemVPSXpFRFhGcUhmaVU1ekQwMklrVmM0QjVpNmhLaDdoY1I4UlhMcFo1TTJaSFhtaWpiWWFqWGZ5WEg4TnBiOUl4MDI1RFMyWStQRFoyNFo5UFZNUUpmWXBtaUg0Y0FjUG1jejdSVnFVOXJQL2VzdmNLM1lEaWtmRkZnZEk2Vi0tVHFIeU0vOWxTN01YVEtXbS0tTTh5Skh1eEtsc0xTT0J5Rzg2Q2ZJQT09?cid=2330416057%3EOpenGet hashmaliciousKnowBe4Browse
                                                                                          • 199.232.196.193
                                                                                          https://pdf.ac/3eQ2mdGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                          • 185.199.108.133
                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUS(Lhambright)VWAV.htmlGet hashmaliciousUnknownBrowse
                                                                                          • 52.98.61.34
                                                                                          6CWcISKhf1.msiGet hashmaliciousAteraAgentBrowse
                                                                                          • 20.50.88.227
                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                          • 20.233.83.145
                                                                                          sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                          • 22.164.114.95
                                                                                          https://whtt.termlicari.ru/HnkNbg/Get hashmaliciousUnknownBrowse
                                                                                          • 52.123.128.14
                                                                                          x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                          • 20.203.184.73
                                                                                          mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                          • 20.47.11.21
                                                                                          x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                          • 40.64.15.168
                                                                                          https://pdf.ac/3eQ2mdGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                          • 52.146.76.30

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          C:\Program Files\ExplorerPatcher\WebView2Loader.dllhttps://github.com/valinet/ExplorerPatcherGet hashmaliciousUnknownBrowse
                                                                                            SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeGet hashmaliciousUnknownBrowse
                                                                                              SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exeGet hashmaliciousUnknownBrowse

                                                                                                Created / dropped Files

                                                                                                C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):156672
                                                                                                Entropy (8bit):6.364786295249098
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:cwWidqj5vQxW0UwC7yqs2Pa+lpshaVXPHefiCaSveMhouw:cwWioKUwC7yqPaKpdmfUAw
                                                                                                MD5:E5BB14C2B9AF4D5BF6C38E0759F454DD
                                                                                                SHA1:8CE23BE643A9AC1745EE824FF91621A0B8FCDAF8
                                                                                                SHA-256:A4FD75AC8F852EDC8BDB88A705EEEE2C93F6EC51EF9FA0739A11A690A067C66D
                                                                                                SHA-512:D2E0E3176304289F0EFE635D3F751A6389B48AFFF4E2348E478993A29ABA7941624E53F076BC09BBA4BA0470E171CD2582254261584D2369D7CEB9DBD45A56CB
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$R..`3..`3..`3..+K..j3..+K...3..+K..t3..p...t3..p...q3..p...A3..+K..u3..`3...3..+...f3..+...a3..+.;.a3..`3S.a3..+...a3..Rich`3..........................PE..L.../,&g...........!...).z...........J....................................................@.........................0...x............P...0..........................P...p...............................@...............T............................text....x.......z.................. ..`.rdata..,............~..............@..@.data........0......................@....rsrc....0...P...2..................@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................................................

                                                                                                C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):716288
                                                                                                Entropy (8bit):6.218933147794801
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:tAZZrKVjXMzFheHhMwJXOI8mw03edresazpaek4Yc9edrtvL9suuuuuuaW5q77gt:6ZBsjXMzFhySwJXOIpOSsgpapXcqrNO7
                                                                                                MD5:8BFCA71ADD96D3DE75173D464792E2B9
                                                                                                SHA1:FE6BC3C30C26D6CE1C149B173B5D79C80102D5B9
                                                                                                SHA-256:5AAA6BAB20B7116B32BDDBA1DF216F7476557BB48397E1968A49EDE14E6C377D
                                                                                                SHA-512:B560415727D15CEEB09E5D9E39EA2B4043848BF4239FBF5068AAAC86F64B3D05D4E21EB197416DB0FB4172C68F782C05AEAE18AC70C27F80566040B6BA79159A
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........%.^.D...D...D...<...D...<..uD.......D.......D...<4..D....Z..D.......D.......D.......D...<...D...<...D...D...F.......D.......D....X..D...D0..D.......D..Rich.D..................PE..d...m,&g.........." ...).....N......l........................................P............`..........................................U......DZ...........0.......I...........@......`|..p...............................@...............h............................text............................... ..`.rdata..v...........................@..@.data...H...........................@....pdata...I.......J...d..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

                                                                                                C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\BitMDL2.ttf

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:TrueType Font data, 15 tables, 1st "OS/2", 37 names, Microsoft, language 0x403, type 2 string, Normaloby
                                                                                                Category:dropped
                                                                                                Size (bytes):4860
                                                                                                Entropy (8bit):4.810458524638355
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:Szb3zrXjrLaiL94z8C6ktlOEknTJOOY8NIBKYzzsnxiZbxS/:SzrHzrOB8C1IdxiNxY
                                                                                                MD5:47EDFB34AA1D759AA24AB417F1723725
                                                                                                SHA1:460DED5841C518D900F690B4222BFE0C3D48BFAC
                                                                                                SHA-256:54C6D49B8F5B28ABB78B35C21E39F3C40997450D462246599BDDE44782AC754E
                                                                                                SHA-512:10A167AA25376F04EA600B61AD374AD84641205EA381CB1372800E593680135E9BBC1C0A773EDA06AC68148C5D969E62AF6816A77302C52746F715A67B31CDBC
                                                                                                Malicious:false
                                                                                                Preview:...........pOS/2JZr........`VDMX.^.q...\....cmap.Q.!...<...Dcvt ...........*fpgm..........Ygasp............glyf=P.7.......Nhead..86...d...6hhea...........$hmtx.[..........loca............maxp.y.c....... name.L.........post.Q.w....... prepx......(.................3.......3.....f..............................MS .@............................. ................................................................................................................................................................... . ...!.!..."."...#.#...$.$...%.%...&.&...'.'...(.(...).)...*.*...+.+...,.,...-.-........././...0.0...1.1...2.2...3.3...4.4...5.5...6.6...7.7...8.8...9.9...:.:...;.;...<.<...=.=...>.>...?.?...@.@...A.A...B.B...C.C...D.D...E.E...F.F...G.G...H.H...I.I...J.J...K.K...L.L...M.M...N.N...O.O...P.P...Q.Q...R.R...S.S...T.T...U.U...V.V...W.W...X.X...Y.Y...Z.Z...[.[...\.\...].]...^.^..._._...`.`...a.a...b.b...c.c...d.d...e.e...f.f...g.g...h.h...i.i...j.j...k.k...l.l...m.m...n.n...o.o...p.p...q.q..

                                                                                                C:\Program Files\ExplorerPatcher\StartUI\Assets\Fonts\SkypeUISymbol-Regular.ttf

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:TrueType Font data, 15 tables, 1st "OS/2", 37 names, Microsoft, language 0x403, type 2 string, Normaloby
                                                                                                Category:dropped
                                                                                                Size (bytes):7492
                                                                                                Entropy (8bit):5.707445677539256
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:szrHzrkB8aoRIkPRPfPHS5oX8G7/xqNxY:arnkB8fImRHKOsq/xqo
                                                                                                MD5:7DBD65D015C1085F472D9408C4CD560A
                                                                                                SHA1:3712986F8B7EEDD4BA875DB4FCBA9B4DE149D22A
                                                                                                SHA-256:991B0F2E9C2CDE7E2F78E79CE31EBF5BD7BCFF085FC7CA120B787556A6ABD30D
                                                                                                SHA-512:2A6EB6CFF77085FB5DEEB2A9E3EACA3E817E11FA466F4A83D72E782760B941A7E495BC6EBC10EEB3C6C431A61AADC7BC5EAB284840DA031EDD58C6E50B732F5D
                                                                                                Malicious:false
                                                                                                Preview:...........pOS/2JZz........`VDMX.^.q...\....cmap.......<...|cvt ...........*fpgm..........Ygasp.......@....glyft<*....L...Phead..J .......6hhea...........$hmtx...f.......$loca............maxp.......8... name.Bh....X....post.Q.w...P... prepx......p.......6.........3.......3.....f..............................MS .@............................. ................................................................................................................................................................... . ...!.!..."."...#.#...$.$...%.%...&.&...'.'...(.(...).)...*.*...+.+...,.,...-.-........././...0.0...1.1...2.2...3.3...4.4...5.5...6.6...7.7...8.8...9.9...:.:...;.;...<.<...=.=...>.>...?.?...@.@...A.A...B.B...C.C...D.D...E.E...F.F...G.G...H.H...I.I...J.J...K.K...L.L...M.M...N.N...O.O...P.P...Q.Q...R.R...S.S...T.T...U.U...V.V...W.W...X.X...Y.Y...Z.Z...[.[...\.\...].]...^.^..._._...`.`...a.a...b.b...c.c...d.d...e.e...f.f...g.g...h.h...i.i...j.j...k.k...l.l...m.m...n.n...o.o...p.p...q.q..

                                                                                                C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub150x150.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced
                                                                                                Category:dropped
                                                                                                Size (bytes):7723
                                                                                                Entropy (8bit):7.82866767742915
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:y9O6OFOhjDn7dga5zMwatQ6QW57bUvbIYWikhF12EQuG9wmmnsvlVoliWTKAHOOK:yTDdga5AwaVLbUjRDEQuCmRliWvi
                                                                                                MD5:4801FD82293A7B77B553635E733AD81C
                                                                                                SHA1:F1BBBFF5A1618CA5851A8CB6DD7B79118C95097C
                                                                                                SHA-256:B0134C30F2F35B00E050262005FF4EE0663498688572EDED15433C8A8CBABB5E
                                                                                                SHA-512:072C3224EB764A652228B1DE032F25C89A7CBD0D44F988C21E56DFF941E6925BC20C245031524FBE6CE94614DC93A172F40A2F825934B52D02C099263225283E
                                                                                                Malicious:false
                                                                                                Preview:.PNG........IHDR...,...,.....y}.u....IDATx....\U...U...,Dv...Q@.Q....Q.\..a@....a.4&.DH@x ..F....e..Y .{d.$f1..Nz..NU..U.n.s.w.}.9Sk7.......O............#........a.....@X............@X...................... ,.........a.. ,.........a.. ,.@X......a.....@X...x...a.. ,.@X......a.....@X............@X...................... ,.........a.. ,.........a.. ,.@X............@X...................... ,.........a.. ,.........a.. ,.@X......a.....@X........bY.h]}a.....`.{W.......0.2A`...O..MR.[.....J.2.H....y!,.P..D!.g.V.c....M....;...2..H.m.H..<..~.!0@X...J..&.YP...FTQ..... .PQ..e^.ExnP...a.....c&e.,!...=..x....WTy......T.UT*1..ez.L#..A.R..Q....F..t%.J@.U.[......d..y.^..q!,.%..!.A..J.......Q'....`..T..a......7...*,}....v.QGSq......T%.d.k..D.KM..\.?.t./;@^AM{+......q....*(M.....g~Xa.....nn}'n.{b.:..u.FX*...U.I\...I.2I...`..?.Set......5.....W.VM.Y..h[gO.......g.fY......\a=}.q....'|.019D\.!e.i.+&.S..A.BZ...0U...t..1Er.'.Y&U..QU..'U......X...s...e.,b./........OX..?[,.z..

                                                                                                C:\Program Files\ExplorerPatcher\StartUI\Assets\officehub71x71.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PNG image data, 142 x 142, 8-bit/color RGBA, non-interlaced
                                                                                                Category:dropped
                                                                                                Size (bytes):4827
                                                                                                Entropy (8bit):7.927350997586525
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:RtM05MPLNlyr6x0zh99tQ7h8Zdi1vHzamUyNcdnA2Pm:RtMF+rK0zhg8ZMp4dnPm
                                                                                                MD5:61F8C73839E9E20A3F3F817884E0050A
                                                                                                SHA1:79F0FE04F097025821F9F00C492DA1B86BD036E8
                                                                                                SHA-256:50D38CC6013B17CA7EAAACE84EB9DF59652AEA1E7B9B8CF6F8AC1F0274B261B8
                                                                                                SHA-512:2F01D2B946B019D80CB5CAC5F100DFBC24E7ABC5EFD689ED01F1762A57859F10F6B26FEB8F51AB6C3399192BCA3B115861FA9FA079AE632855322D74992AA9C2
                                                                                                Malicious:false
                                                                                                Preview:.PNG........IHDR...............0.....IDATx..}....{..g...K`0Y.HBX#(..0...Y6....{8q..9.C..79... .h@\..(.5*.FT..|..(l..DQ.....'3=....u....u....nR3}.s.S.EOS3...y.[..R..t..7)t..Ehpthpthpthpthpt...........................C..C..C..C..C..C..G..GG..C..k...:v.8............`X...d .%.Lo...4.Z.h..#..zH../..(.h....E..U#.N?.F<.F/.. .K.h....4".&.5...4.4....~*...".......).%.. 1..E".k/.N..Q.SY.U@..2(..O.O>... ....c.K.#.....N.......^!"......P`.I.M...(.y.I..n.^.m.\>. ....).`*...UI...@...Z}h?.&.0D.&u.d....@.?......6H._`..}.`._..S.zC..........?..E..`...T..p.5.Q}48.P.H.........|...bPp.T..<..Y.....$$y..A...C{p..]d.;.....t.~._v=&q......Q...m.C.)02[R.c*j.r..(.wSyp.PB....<...$..B..$.......3O..20.k.p......k....t....................xx..r..?.(......*..I..J....0.MB........j...?..X.dR..U..f..X..:li\.........<(.?&..|...G...q.........Z~..a.+...5.....p.$.).... M*O..o."`1Hs....j(..`2.j_.w./....._._......E..:TwU}.FV......f.i.|..._V.~0.S..P......&...d.B.. !8....#gR..........[.

                                                                                                C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote150x150.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced
                                                                                                Category:dropped
                                                                                                Size (bytes):5446
                                                                                                Entropy (8bit):7.7182554234602225
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:a3NOGqOlOUqJAksxzEKZ6bDQEwLEf17HZkyYXMUEjPtSPa43hTe2IG2ohXtFx1oc:saBozjSrn7JVQPBRHZ5LxF
                                                                                                MD5:834B785D846929658BE3754439B93661
                                                                                                SHA1:B7AC15FF63E5DE7021BABFD8E5E53E3D5FD43BA6
                                                                                                SHA-256:EE0F4170B7841A3BE39C0B3BEE0D51384A98A1CAF3C825132EDA43030784E84C
                                                                                                SHA-512:9E45A7C8A67D25B34C4E7C49B7025524249B77FAA7516531E9DF40FCA6520990E07D9B92FB163092DE4D27B047C4BB55FF8D4486B2AAF66DE964C45D120648AB
                                                                                                Malicious:false
                                                                                                Preview:.PNG........IHDR...,...,.....y}.u....IDATx..{.$.}...3;.....wg.C....Kd.-.#%2r8#..!.CJ.9.%E..H.,....".D.H.E.,YI..<l+..l'...`....}:.B.;...Jw..nMMUW....v..c..L.c.{.?|.5..]....4...................... ,.........a.. ,.........a.. ,.@X......a.....@X............@X...................a.. ,.........a.. ,.@X......a.....@X............@X...................... ,.........a.. ,.........a.....@X............@X...................... ,.........a.. ,.........a.. ,.@X......a.....@X...................... ,...Tk6....>.?Pk.....i&.].. .F.#..a.j......y!,.$.Rs.?t..#....XV..cM....S5......#*..Z...#...LS.-..3..OR*R\m...........H[..f$+.....Y.e.I{d..rBZ..6(...T..6*.Y.No.5:b...).T....LIV...<?.dlZ.h..%).X'......l@`........\.......r...FP...Tr...xn..M...}.J..+u.,T."1..5.V%'.2V\M..P5...R.RY.\...L..be.j.q[...f...*[2\*KP.c1.Bb..j..'..u<.}.+.#~3...HUy...R.DiK.t..`....W....K^1....Wl.r......lRk?h.... B..R.c..c?..v.?.M.{.".....y.....1 .T.{...YU...R.h....[..|.G....&.l....[..7...[..HrJ....`.T.-.a.?.....

                                                                                                C:\Program Files\ExplorerPatcher\StartUI\Assets\onenote71x71.png

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PNG image data, 142 x 142, 8-bit/color RGBA, non-interlaced
                                                                                                Category:dropped
                                                                                                Size (bytes):3550
                                                                                                Entropy (8bit):7.897867714150185
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:zjztgfNxDuMeu66kwqBmGSJj2ddfO5yRKg4MsgpH2T9T1:nmUaC5ddwyiCH25x
                                                                                                MD5:3E9B58E469D2564FE06417E5B083D409
                                                                                                SHA1:6379ED82C12C5D11E67C637DF38FC605BF5B7804
                                                                                                SHA-256:0D90405D6F77EDE77D6875FC635EA061AEC5599AF5D6B99C48413C84F8B6464E
                                                                                                SHA-512:88682E4B76FE9CA986C33F58261641F2B0E6A02687E55571CD818FBA296EF9F97541976C92963913FAD0C9FAE53A63C86A7EBC53820ED58FA46C81DF09F5D7EA
                                                                                                Malicious:false
                                                                                                Preview:.PNG........IHDR...............0.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..]..V...=.....R./.QU$..I#A"x(....R*.g.J.@|.x..(...*..!/....Q.T...RE.TP.*JSh...!4D.M.l..c...{...sm...........x......V..bb.5ON...#&...8b.....#&...8b....#&&...8b....#&....8b....#&...8bb....#&...8b.....#.A....Ru...k3...;....G...".gu.L*PX.{P.Y_hT.:5.. s..*@A..Q..kj.%....8.P.Y=4..U.....*.'......Z..&..E`..(.6..+..2...T.<......Y.+..(G`).$*..Vx..Q.....{..8...DX.......^G..f.p. q.."..vQ.4.Y....*..i...6..ks.Yo....l1M.Laz|.v..rD..Z\...E...r2o.."x.q.....n<....2.W.UU.8h2X.......}.w.h.....v...o..K....S.,..i..:j=.....s%.j..dS......L0.nh.-.\..]?.}8^\NU(......78.FN.!.Q..9...j7...f[[.w..y......@?p..(...t....S...H3.Uw-.sXaT..i5......G....S...=y..8..jS.8eu.........jT.,.0S..T.....BJ...MY.6.6.4..T...;..)...n.=&...M.I\UQlS.4..TI.d...p.......6...:...m..<&....+N...u..l.|C%.AMiS.c...E..G..x...o.....d.a...V..V.t.,.k..8.E..cl...ie.t....N....eOy1@^o9iws..Q:.O$8E...........?.D.....E|H^g......_.m.......

                                                                                                C:\Program Files\ExplorerPatcher\WebView2Loader.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):165336
                                                                                                Entropy (8bit):6.238659206665009
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:7evoTTlTRTyiuPThTNTKm81SbbMYSPLNsknZiZ2HZ5AaliiT88FEtJ57dXSvlCW:HTlTRTyiuPThTNTKmFQdhsknZiMHfEti
                                                                                                MD5:C5F0C46E91F354C58ECEC864614157D7
                                                                                                SHA1:CB6F85C0B716B4FC3810DEB3EB9053BEB07E803C
                                                                                                SHA-256:465A7DDFB3A0DA4C3965DAF2AD6AC7548513F42329B58AEBC337311C10EA0A6F
                                                                                                SHA-512:287756078AA08130907BD8601B957E9E006CEF9F5C6765DF25CFAA64DDD0FFF7D92FFA11F10A00A4028687F3220EFDA8C64008DBCF205BEDAE5DA296E3896E91
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Joe Sandbox View:
                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                • Filename: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, Detection: malicious, Browse
                                                                                                • Filename: SecuriteInfo.com.Trojan.Win64.Meterpreter.11595.2675.exe, Detection: malicious, Browse
                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....sgf.........." .....\..........@F....................................................`A........................................Y...0.......(............P.......^...'..............T...................P...(....q..@...........h...........`....................text...][.......\.................. ..`.rdata..|....p.......`..............@..@.data...D....0......................@....pdata.......P......."..............@..@.gxfg...p....p.......8..............@..@.retplne.............J...................tls.................L..............@..._RDATA...............N..............@..@.rsrc................P..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                                                C:\Program Files\ExplorerPatcher\Windows.UI.ShellCommon.pri

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):2967344
                                                                                                Entropy (8bit):5.1369255772687055
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:sQIx3Fyi5T+bi/Lkhai/LkhdxQe/khY+iNO+WPqsGu4udw8Y8QUVQxK3itG4BWO6:sQIx3F+gW1u+QEitG4mfy+v1R
                                                                                                MD5:B5EDF00A3AD977E6587CFEAD07D22726
                                                                                                SHA1:BEB46626C5B8AD2A8426B8482A0C68F9DC09298D
                                                                                                SHA-256:BD15C1C4F88EEDFC86DEA1E1692F84AC37638694858D11C02B22705945D1330E
                                                                                                SHA-512:48FE5DF7932A0A10C21D69571BB5C6423ED052635FBDD6A640C73E032B84BB06A8C1321D539A8ADBE0FD56DBC4145F550DA9840D57BBDCBDE6784A6C2F3D0B2D
                                                                                                Malicious:false
                                                                                                Preview:mrm_pri2....0G-. ...............[mrm_decn_info].................[mrm_pridescex].............h...[mrm_hschemaex] ........8.......[mrm_res_map2_].............8...[mrm_dataitem] .............X.*.[mrm_dataitem] .........`.+..(..[mrm_dataitem] .........x.,.@...[mrm_dataitem] ...........,.XW..[mrm_dataitem] ..........1-.....[mrm_dataitem] ..........2-.....[mrm_dataitem] .........`4-.p...[mrm_dataitem] ..........5-.....[mrm_dataitem] .........x7-.p...[mrm_dataitem] ..........8-.....[mrm_dataitem] ..........:-.....[mrm_dataitem] .........8<-.....[mrm_dataitem] ..........=-.....[mrm_dataitem] ..........?-.....[mrm_dataitem] .........0A-.....[mrm_dataitem] ..........B-.....[mrm_decn_info].........................1.!.................,...............................................................................................................k...........................................................................................................................................................

                                                                                                C:\Program Files\ExplorerPatcher\ep_dwm.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):118272
                                                                                                Entropy (8bit):5.883424207863698
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:TmxpiUI+RrEAqTZLO1bLB1bmRYOalQIO:T+iD+TqTZyXvlQ
                                                                                                MD5:6563C5338177FF66050EADFE3960C567
                                                                                                SHA1:20E6E7C7778861756549062C5C0715090CAD0E52
                                                                                                SHA-256:315AF6DF079B31BAC26156C9DDA8CC415C76408A39972346C238888AAFF79921
                                                                                                SHA-512:724B9823E36B99490CD9B86A9B6EF33C35C5F92761ABF7D6B2D00C0398B14679DFD07189519025E89F8DCEF2409B0FDFAA48EDF77B07764A4ED6CF6C683B330C
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m.^k..^k..^k......[k.......k......Tk..N...Wk..N...Nk..N...vk......Uk..^k..&k......_k......_k..^k.._k......_k..Rich^k..........PE..d...?,&g.........."....).............'.........@..........................................`....................................................x...............................h...0...p...............................@...............`............................text...`........................... ..`.rdata..Z...........................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................................

                                                                                                C:\Program Files\ExplorerPatcher\ep_gui.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):752128
                                                                                                Entropy (8bit):5.474681591921442
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:izq5NAtIjhy7rsdQiwHg4aG0Y/ist23ed3TqxkOyBGO:cqPA2jhyPASV
                                                                                                MD5:81CD6D96F81B1E54AA327A4AF6BCBE85
                                                                                                SHA1:B786C4BDE03D1566B1B040EB8970B82F7B80A007
                                                                                                SHA-256:B23BAB1F5DC85C9E10145EEB32214D6CFE02FB5ABCF956A37A3C9DD7E09FEE67
                                                                                                SHA-512:A1360B71BA11B529BD21F8C93C6CEEC01C4FAA9D33CA5E5FA62ACB118CEBF1E9E1D38EA17D236D1F8BD0D790F6B743329D41598D5A62C794B4786C14975782BE
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.................................".....=...............................................................................Q.......9.............Rich....................PE..d...M,&g.........." ...)............x.....................................................`.................................................<...,....P...m...0.........................p...............................@............................................text... ........................... ..`.rdata..,...........................@..@.data...0#..........................@....pdata.......0......................@..@.rsrc....m...P...n..................@..@.reloc...............r..............@..B................................................................................................................................................................................................................

                                                                                                C:\Program Files\ExplorerPatcher\ep_setup.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):11143168
                                                                                                Entropy (8bit):7.989614560554252
                                                                                                Encrypted:false
                                                                                                SSDEEP:196608:Yobw/inDWIRviYy06kRUEsyiFo2ItCC2bO+WxNtTYnepC5YbM/rN2kGBlSrnU:dw/2Bvc06kiEviXTCIKNtUnqYYA/A
                                                                                                MD5:F164888A6FBC646B093F6AF6663F4E63
                                                                                                SHA1:3C0BB9F9A4AD9B1C521AD9FC30EC03668577C97C
                                                                                                SHA-256:8C5A3597666F418B5C857E68C9A13B7B6D037EA08A988204B572F053450ADD67
                                                                                                SHA-512:F1B2173962561D3051EC6B5AA2FC0260809E37E829255D95C8A085F990C18B724DAFF4372F646D505DABE3CC3013364D4316C2340527C75D140DBC6B5EBDEEE1
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 8%
                                                                                                Preview:MZ......................@...............................................!..L.!22622.4317.67.1.8bfca71add96d3deS mode....$........ uO.A...A...A...9...A...9...A.......A.......A.......A.......A...9...A...9...A...9...A...A..NA.......A.......A...A...A.......A..Rich.A..................PE..d...v,&g.........."....).P....................@.............................@............`..................................................K...............................0.......(..p...........................p'..@............`...............................text...pO.......P.................. ..`.rdata.. ....`.......T..............@..@.data...T....`.......R..............@....pdata...............^..............@..@.rsrc................z..............@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

                                                                                                C:\Program Files\ExplorerPatcher\ep_setup.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Program Files\ExplorerPatcher\ep_taskbar.2.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2309632
                                                                                                Entropy (8bit):5.9603372344097245
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:V9X7GWGVgWGwN78HKBJfJNrkrhcxaPs/P5+/Dd:VMiQkFcxaEGDd
                                                                                                MD5:DCE36294E4AB8F9F85357698ED5A8CEA
                                                                                                SHA1:5511F09C022693E5A8644B59C46CF8AC9C4D0256
                                                                                                SHA-256:696938E9820976C632F42A39A6B74A04C3262C4217F6B0F27D1B0E8C3280A02E
                                                                                                SHA-512:99FA0E6DFB8A5BA8D38B0EA7398C131F99D2F7D83D134FD5BB03F8E7D5E4141A7BFCFD005E61D208B1FB33149D8274CC164211A453FE5833F13DDF6696902210
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........P[...[...[.......S..........K...R...K...K...R.A.....K...f.......B.......Z.......F...[..................Z.....-.Z...[.E.\.......Z...Rich[...........................PE..d...Ex%g.........." ...)......................................................#...........`.........................................`....,..8...D....p.......................`#.L0......p.......................(......@...............@.......@....................text...t........................... ..`.rdata...Y.......Z..................@..@.data....9...P.......:..............@....pdata...............P..............@..@.rsrc........p......."..............@..@.reloc..L0...`#..2....#.............@..B........................................................................................................................................................................................................

                                                                                                C:\Program Files\ExplorerPatcher\ep_weather_host.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):244224
                                                                                                Entropy (8bit):5.982317924874446
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:xjW86bHWeRLwF/ov4P3dUXqu/FYu9L33+C+TS9eEXB9aospWoU6P:xEbHWK0gv4GXZ/rpEWoh
                                                                                                MD5:AAC2857727CFF3CD7B291F9500196F73
                                                                                                SHA1:C86EEDFF45B672DF58885F12E7A7AEE3398C618B
                                                                                                SHA-256:78ED3E3676D97C337FEF071B522805F4CF742587A40F96AF4AA4D74FEE0AF88A
                                                                                                SHA-512:A4C54B4221B1745FE1DE6D53FCD7A528B4BACDA6B2C66E02D55BD5867D118E042A35490E45B64C2D24398A9AC06E356BF10A2822F83663D52C1A28E10F0A52E5
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6v..X%..X%..X%.[$..X%.]$..X%.y[$..X%.y\$..X%.y]$..X%.\$..X%.Y$..X%..X%..X%..Y%'.X%.xP$..X%.xX$..X%.x.%..X%...%..X%.xZ$..X%Rich..X%................PE..d...D,&g.........." ...).............e....................................................`..........................................~......,.......................................@^..p............................]..@...............@............................text...0........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):111616
                                                                                                Entropy (8bit):5.926529844260868
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:uw+B6bvTxS8Si7ixJSHQ8YmpqvA9uf+UfKzwzsW7dJ9dlPXdremU:/3TxMpxJuQ8bpwouf+f07hJ9emU
                                                                                                MD5:E477912C435DB101603781DCC44289E1
                                                                                                SHA1:7B2EDA1B6055E8874F37FB9B48BCC933BF69C1C3
                                                                                                SHA-256:0930D2E71353A411D96DC4DFDD473DACE98D1B7B9546AC4C185F8984F8B9C18B
                                                                                                SHA-512:9F8089742099A789387381980EC5B493DEEC46BD73F39CF8FA9919BE4DD772B20C70246E5E90D625011F052D5C3B2000B42C50843956D74FB85FF1B1D18EACE9
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z.R...R...R.......W..............X...B...[...B...\...B...r.......U...R...'.......Q.......S......S.......S...RichR...........PE..d...A,&g.........." ...)............p.....................................................`.................................................X...P...............................x.......p...........................P...@...............8............................text... ........................... ..`.orpc...,........................... ..`.rdata.............................@..@.data...h...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B........................................................................................................................................................................................................

                                                                                                C:\Program Files\ExplorerPatcher\pris\Windows.UI.ShellCommon.en-US.pri

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):187808
                                                                                                Entropy (8bit):5.898309599415517
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:M+Hus1m6HLzoyVgyAIYlXilvkp+qhEUmkqCZB1+5vGFk:M+TmqIy4IWhEUmkrSvGFk
                                                                                                MD5:18AF812E01A575418952ACEFBE232F0B
                                                                                                SHA1:6672685B3EB8FAF7DCEEF22A0C0866F66850EAEF
                                                                                                SHA-256:48DE9376E52993C66956EDD30A58EC1F8ED58F4E9AE21AD2D1A739AD952AE1FC
                                                                                                SHA-512:8E4F736EDE86C5B108EC9B9C693EE82AC8C2BBEB005E15B39A1777C67C81A7A6AA0CF633BA6A21FBD8E0BB566420EFF23117A0AC6114020913BE03FBD9D776A9
                                                                                                Malicious:false
                                                                                                Preview:mrm_pri2........ ...............[mrm_decn_info].................[mrm_pridescex].............H...[mrm_hschemaex] ................[mrm_res_map2_].........h... P..[mrm_dataitem] .............H...[mrm_decn_info].................................................................................................E.N.-.U.S..............[mrm_pridescex].........H...........................................H...[mrm_hschemaex] ..................".....[def_hnamesx] ..........B......2...m.s.-.a.p.p.x.:././.W.i.n.d.o.w.s...U.I...S.h.e.l.l.C.o.m.m.o.n./...W.i.n.d.o.w.s...U.I...S.h.e.l.l.C.o.m.m.o.n.........1.......2...............................A..0.P......C..0.P......D..0,E[.....F..0DC,.....J..0$B......M..0.X......M..0^A......N..0n2......P..0l1......Q..0.',.....R..0.'+.....S..0..m.....S..0..>.....S..0%.....#.W.#0......+.A..!..0...).A..!../.....A..!......4.A.'!}.-...".A..!g.,.....A.!!E.+...5.A.(!..*...4.A.'!..)...3.A.&!..(...0.A.#!..'...B.A.5!s.&.....A.!!Q.%...1.A.$!,.$...0.A.#!..#.../.A."!..".....A.!!

                                                                                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=39, Archive, ctime=Fri Sep 6 01:27:57 2024, mtime=Thu Dec 19 17:43:12 2024, atime=Fri Sep 6 01:27:57 2024, length=90112, window=hide
                                                                                                Category:dropped
                                                                                                Size (bytes):1960
                                                                                                Entropy (8bit):3.321199116325212
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:8eSkGrpt7fSulTyApeiUHh+/Clo+sd/UW+fwT4o02s/Ykvsm:8pFptf3ltYiAlo7d/9fMo8YkU
                                                                                                MD5:92C5553DB196D478E13D40A8A7BF8526
                                                                                                SHA1:908E91C50B67F5ACF32D3EA92B1687659936D1BC
                                                                                                SHA-256:07BC017D1970A3567D05D0B8CFD8279AE3238433DB4B58D614A58B15D5C8B3D9
                                                                                                SHA-512:46591D925281B0A1D6818DA8091AAC7EFC3B365996456C7CACFA314517AFE9097C5248C01B3B633153E47C99D002BF106C1D98E4B2429F268827447281451F43
                                                                                                Malicious:false
                                                                                                Preview:L..................F.@.. ....l.b.....Zi.ER.....b.....`..'...................E....P.O. .:i.....+00.../C:\...................V.1......Y/...Windows.@......T,*.Ye.....P......................B.W.i.n.d.o.w.s.....Z.1......Ya...System32..B......T,*.Ye.....?.........................S.y.s.t.e.m.3.2.....f.2..`..&Y}. .rundll32.exe..J......&Y}..Yg.....9...........(...........3.r.u.n.d.l.l.3.2...e.x.e.......O...............-.......N...........&.JM.....C:\Windows\System32\rundll32.exe....E.x.p.l.o.r.e.r.P.a.t.c.h.e.r./.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.3.".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.E.x.p.l.o.r.e.r.P.a.t.c.h.e.r.\.e.p._.g.u.i...d.l.l.".,.Z.Z.G.U.I...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.........%SystemRoot%\system32\shell32.dll.............................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000022.db

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):104880
                                                                                                Entropy (8bit):3.9857191071573217
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:sPTkYS/mgsjzPih1ri5GhnyGMVUUxx14t:srkYS/mgsjzqhpi7G7Ux7U
                                                                                                MD5:74ED0F9F6B0C741FD476DFB8F9A523EA
                                                                                                SHA1:BAF7D7F257438F99B129DAB5D2B0CD5603A35898
                                                                                                SHA-256:BF3B5F73734398D36C9C9788608C49331E28335EE473C71189550EEA240E94D4
                                                                                                SHA-512:87272A987774782E7D179C2A8BE0005F67AF39F71948A38EBF769A8DD3077174DFEE3FA052674A96A248506A34196FE0BA119962D1AB01E2FDC5B518DEE68E5B
                                                                                                Malicious:false
                                                                                                Preview:....h...$..............P..............Q.......X...(...............p...Q.......e.n.-.C.H.;.e.n.-.U.S...............H..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................M.a.o.g.a.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................M.a.o.g.a

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2OIDBQCM\73C9C0571D55C7E8C1DB49D54FB957CD01BB4A564F9CFA46E57CD5F5E9D0B36800[1].blob

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:MSVC program database ver 7.00, 4096*4923 bytes
                                                                                                Category:dropped
                                                                                                Size (bytes):20164608
                                                                                                Entropy (8bit):5.681845584845048
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:B0n570xvYDTvox3Q353w3j3W3y+ZNufjNY6UbY/YILCGg59dIaEx0URA9L6+cxK4:B0nJsc42R0B1
                                                                                                MD5:00B6C341356F914D5E7C46C80D930220
                                                                                                SHA1:60C19DEA704D295177013582F423DE1D0BB263B5
                                                                                                SHA-256:5E933C99E652FDBF28165E2B0301297FAC9B01FE00FC59660EA43AD8A4772514
                                                                                                SHA-512:FD351C8F5C3CCE0B89D2FC1664E8C16E3F35363BB0A09FF1AEFE6832F06790F5AEAE7AB2CFAC90424E95B2DE6663F266CCA5F303986778621B99486D5A710A68
                                                                                                Malicious:false
                                                                                                Preview:Microsoft C/C++ MSF 7.00...DS...........;....O......:...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4TJ1LROY\5BE1B1FD8C4CD469077AFBBA0798AFC8A16E31C59DCD0A1A38B2906EB5B053E500[1].blob

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:MSVC program database ver 7.00, 4096*7685 bytes
                                                                                                Category:dropped
                                                                                                Size (bytes):31477760
                                                                                                Entropy (8bit):5.623601438277038
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:FF/1V1oiaOrjDgVTub8O8/1l4Lf/45EFRiUz3Cv+gkHEpctXi7lcOT7uH6qTpLN4:7NV1vnH+1WzqgaftyWnh9RT
                                                                                                MD5:F6B1F244316498EFB599C57615D0B27A
                                                                                                SHA1:3463AB821F1083DE718A7330E0E266D51B62978F
                                                                                                SHA-256:7191526BCEEF78B8ABF7C2A298BA3CCD7893D4D5882F995877059665415D2E60
                                                                                                SHA-512:60C662E1B2FFA20268E917DCEA94186205726C672D0254C355F015FC033C53BBCBF7DC9C31B0F5C16A1C0B5E1128F88BB87A63B9B3D4F4E473FF282C279F10F5
                                                                                                Malicious:false
                                                                                                Preview:Microsoft C/C++ MSF 7.00...DS...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KA259YPD\212EE6F6E5D8968D8EF5025E80B96D0A21B02CF1C46C2B343900F72F34A45D3800[1].blob

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:MSVC program database ver 7.00, 4096*1499 bytes
                                                                                                Category:dropped
                                                                                                Size (bytes):6139904
                                                                                                Entropy (8bit):5.371192355576708
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:rYNFBy5AXoKJyBGF8PLn/gau9oIClD08/zORIW1hvuY+N6ND9QM3UEXHxm0dnDNN:roGYqsZ5RZQ
                                                                                                MD5:6FBAD49B7063AABD0549B49A477CAAE5
                                                                                                SHA1:E84776C7AB4D66BDCEB9B6BD91EE15FE23499AAC
                                                                                                SHA-256:0E6B01BD708F0164329560D14EE390E3B14DB00D0776F41A330157C949DA9EE9
                                                                                                SHA-512:25AC3A32503177B96559D2C03520A29A0CB9801687036DAF0A955E911546ECF1027B40588210B2E5BC709948A395C11CD990CA0DCC818EE0259C95601526AFF7
                                                                                                Malicious:false
                                                                                                Preview:Microsoft C/C++ MSF 7.00...DS...............,...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\V4I0JG8P\2EBF3E9967431ACD9E1D4A46150BB2A32579CF535A44455C32BE3B2ECE47FBDE00[1].blob

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:MSVC program database ver 7.00, 4096*8699 bytes
                                                                                                Category:dropped
                                                                                                Size (bytes):34115584
                                                                                                Entropy (8bit):5.732874486135257
                                                                                                Encrypted:false
                                                                                                SSDEEP:196608:vPcF1Vbv8dJ6EPigdurTKKR68aMfUDCaN4QlkqYGxR2rlP9rKoyEXv/uIqvLzfHM:006
                                                                                                MD5:34769E2564CAF36AB3795D3B0A469ECB
                                                                                                SHA1:3313693643E1B071C782BEE26BBAC64F22395EE8
                                                                                                SHA-256:E99821661B1EF3D9AF3BA7C2E0548A02F9B0529936F51B03EB2AF50D8B35F446
                                                                                                SHA-512:2444FEC40E1ED1DA4C2B7AE14B42F15A35DF636593EC1D6451926AE9EBE9960A18A799B84853BAF7680C5CE346753EED2DF6569F1FA7E3B6CD8D2E1589C2C207
                                                                                                Malicious:false
                                                                                                Preview:Microsoft C/C++ MSF 7.00...DS............!..H........!..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\ExplorerPatcher\StartDocked.pdb

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:MSVC program database ver 7.00, 4096*4923 bytes
                                                                                                Category:dropped
                                                                                                Size (bytes):20164608
                                                                                                Entropy (8bit):5.681845584845048
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:B0n570xvYDTvox3Q353w3j3W3y+ZNufjNY6UbY/YILCGg59dIaEx0URA9L6+cxK4:B0nJsc42R0B1
                                                                                                MD5:00B6C341356F914D5E7C46C80D930220
                                                                                                SHA1:60C19DEA704D295177013582F423DE1D0BB263B5
                                                                                                SHA-256:5E933C99E652FDBF28165E2B0301297FAC9B01FE00FC59660EA43AD8A4772514
                                                                                                SHA-512:FD351C8F5C3CCE0B89D2FC1664E8C16E3F35363BB0A09FF1AEFE6832F06790F5AEAE7AB2CFAC90424E95B2DE6663F266CCA5F303986778621B99486D5A710A68
                                                                                                Malicious:false
                                                                                                Preview:Microsoft C/C++ MSF 7.00...DS...........;....O......:...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\ExplorerPatcher\StartUI.pdb

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:MSVC program database ver 7.00, 4096*8699 bytes
                                                                                                Category:dropped
                                                                                                Size (bytes):34115584
                                                                                                Entropy (8bit):5.732874486135257
                                                                                                Encrypted:false
                                                                                                SSDEEP:196608:vPcF1Vbv8dJ6EPigdurTKKR68aMfUDCaN4QlkqYGxR2rlP9rKoyEXv/uIqvLzfHM:006
                                                                                                MD5:34769E2564CAF36AB3795D3B0A469ECB
                                                                                                SHA1:3313693643E1B071C782BEE26BBAC64F22395EE8
                                                                                                SHA-256:E99821661B1EF3D9AF3BA7C2E0548A02F9B0529936F51B03EB2AF50D8B35F446
                                                                                                SHA-512:2444FEC40E1ED1DA4C2B7AE14B42F15A35DF636593EC1D6451926AE9EBE9960A18A799B84853BAF7680C5CE346753EED2DF6569F1FA7E3B6CD8D2E1589C2C207
                                                                                                Malicious:false
                                                                                                Preview:Microsoft C/C++ MSF 7.00...DS............!..H........!..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\ExplorerPatcher\explorer.pdb

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:MSVC program database ver 7.00, 4096*1499 bytes
                                                                                                Category:dropped
                                                                                                Size (bytes):6139904
                                                                                                Entropy (8bit):5.371192355576708
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:rYNFBy5AXoKJyBGF8PLn/gau9oIClD08/zORIW1hvuY+N6ND9QM3UEXHxm0dnDNN:roGYqsZ5RZQ
                                                                                                MD5:6FBAD49B7063AABD0549B49A477CAAE5
                                                                                                SHA1:E84776C7AB4D66BDCEB9B6BD91EE15FE23499AAC
                                                                                                SHA-256:0E6B01BD708F0164329560D14EE390E3B14DB00D0776F41A330157C949DA9EE9
                                                                                                SHA-512:25AC3A32503177B96559D2C03520A29A0CB9801687036DAF0A955E911546ECF1027B40588210B2E5BC709948A395C11CD990CA0DCC818EE0259C95601526AFF7
                                                                                                Malicious:false
                                                                                                Preview:Microsoft C/C++ MSF 7.00...DS...............,...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:MSVC program database ver 7.00, 4096*7685 bytes
                                                                                                Category:dropped
                                                                                                Size (bytes):31477760
                                                                                                Entropy (8bit):5.623601438277038
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:FF/1V1oiaOrjDgVTub8O8/1l4Lf/45EFRiUz3Cv+gkHEpctXi7lcOT7uH6qTpLN4:7NV1vnH+1WzqgaftyWnh9RT
                                                                                                MD5:F6B1F244316498EFB599C57615D0B27A
                                                                                                SHA1:3463AB821F1083DE718A7330E0E266D51B62978F
                                                                                                SHA-256:7191526BCEEF78B8ABF7C2A298BA3CCD7893D4D5882F995877059665415D2E60
                                                                                                SHA-512:60C662E1B2FFA20268E917DCEA94186205726C672D0254C355F015FC033C53BBCBF7DC9C31B0F5C16A1C0B5E1128F88BB87A63B9B3D4F4E473FF282C279F10F5
                                                                                                Malicious:false
                                                                                                Preview:Microsoft C/C++ MSF 7.00...DS...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg

                                                                                                Download File
                                                                                                Process:C:\Windows\explorer.exe
                                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                                Category:dropped
                                                                                                Size (bytes):151729
                                                                                                Entropy (8bit):7.945756681484684
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:Jv9V0wuYm4qafQx/DHf7klXxenjkZbzSqfSnIKoZntIS:Jv9Qa+7k9GkZbzNSnSZnSS
                                                                                                MD5:973B719A7B7C62DDFB1D55ED5AF3C2A0
                                                                                                SHA1:6461F387ADBC02FEFC72A9778155A07CB1880FBC
                                                                                                SHA-256:61D9CDC2D78B94C6C9893F71107B7B0F3377DFC6D5DC314A0DE17231EB72D87F
                                                                                                SHA-512:62F1DC4493D5AD3062BD7467738C99535C7DD2D0B6F1516F2C4BCF22F33609BCECB3B6B9CB6FFE1CFBD5402C0C68EAA83A342CEA18E0B4DE3D004CA498DA60D8
                                                                                                Malicious:false
                                                                                                Preview:......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..u.........R..-....--......r.L..QEH.....j....u...QE:..J>..P.E*...t....B.:... %*..@.!.N......R.(...ih.h..h.)..P;...N.CV.E..QJ.-....E:.....KEH..-..@.E>..j....)OZ......u....m(Z.`..--.a.S..,3...N.......i.i.bQK.....v.6..h..@....6..h..F.@.E..F.@.jmI..o..6.u...h.Q@..N.j.Jku.Q@..%>...m5.......QO...E9.=..q@...A...F.m...b.}.....F...J.a.S.(....~)(....)...QN.j.Jm:...5%I.!.P.(.jJ

                                                                                                C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\JumpViewUI_.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):1458176
                                                                                                Entropy (8bit):6.529653043779224
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:MOWQVo+MVJRgjgfRCZhnNa/a63jGr64rzAiGzJ6eNUVyJppR3:M+a+u34ZJNY3k98zJ7NUgJP
                                                                                                MD5:0E65A0A661148077BC24602067AC3FF7
                                                                                                SHA1:3916FA695AC13A61E60EDFD39F2F8504A99FEB62
                                                                                                SHA-256:3E81CECF171D697DBF08E97CDC0ED60158D6FB405E9897D54890CF20E35EF856
                                                                                                SHA-512:780AECC25942FC32D5454DBC139CF02D738E474DE2B66E47D1F92F2549E01B4F79A03480A0F16D407AE398B1F2B8F25854997384E59B4B98A8F7BF6400E475BD
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2A..v .@v .@v .@=X.Ar .@=X.AR .@.X1@? .@=X.Ar .@=X.A} .@v .@f%.@=X_@u .@=X.A; .@=X.Aw .@=X]@w .@=X.Aw .@Richv .@........PE..d...Bf............" .....f...........................................................P....`Q............................................t...4........@.......P...............P..lF......p.......................(.......@.......................`....................text....e.......f.................. ..`.rdata...............j..............@..@.data...P,... ......................@....pdata.......P....... ..............@..@.didat.. ....0......................@....rsrc........@......................@..@.reloc..lF...P...H..................@..B................................................................................................................................................................................................................

                                                                                                C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):8694272
                                                                                                Entropy (8bit):6.576367943733818
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:mcvhib+lfmq53jlhFdDRqzVUW+qn47Y1sqjQ7y9GVshaTBLHiNLbEr1zIcmQn9aD:mCjdCQ1zIWx5KDegEgHnrQV
                                                                                                MD5:20B55D5C6DCE22F8011906281E4E6999
                                                                                                SHA1:27735EAD648E104D3715DABFCFFF410CDCFC706C
                                                                                                SHA-256:715B75B289DD2EFC34FB0FFD924FCD38A34FEE9FC5E93A207FCADA7CB38F6508
                                                                                                SHA-512:87CE3569C9803380F31638C181F5C9D3BD1BBA497D162405EF0D0271ABEF1FC91BADAAEB8D79C30F8EE0F5313BF8DDA161BEC7DE0A57E1F4BF10FCABB3D28DB2
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%Du.a%..a%..a%..*]..e%..*]..D%..*]..q%..h].._%..*]..j%..a%... ..*]..b%..*]..j$..*]..`%..*]..`%..*]..`%..Richa%..........................PE..d...D............" ......^...%......l....................................... ............`Q........................................ {w.p....{w.............. }.\y..............._.. .c.p....................=d.(....c.@.............^......uw......................text.....^.......^................. ..`.rdata........^.......^.............@..@.data...4Q....w..,....w.............@....pdata..\y... }..z....|.............@..@.didat...............D..............@....rsrc................F..............@..@.reloc..._.......`...J..............@..B................................................................................................................................................................................................

                                                                                                C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):716288
                                                                                                Entropy (8bit):6.218933147794801
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:tAZZrKVjXMzFheHhMwJXOI8mw03edresazpaek4Yc9edrtvL9suuuuuuaW5q77gt:6ZBsjXMzFhySwJXOIpOSsgpapXcqrNO7
                                                                                                MD5:8BFCA71ADD96D3DE75173D464792E2B9
                                                                                                SHA1:FE6BC3C30C26D6CE1C149B173B5D79C80102D5B9
                                                                                                SHA-256:5AAA6BAB20B7116B32BDDBA1DF216F7476557BB48397E1968A49EDE14E6C377D
                                                                                                SHA-512:B560415727D15CEEB09E5D9E39EA2B4043848BF4239FBF5068AAAC86F64B3D05D4E21EB197416DB0FB4172C68F782C05AEAE18AC70C27F80566040B6BA79159A
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........%.^.D...D...D...<...D...<..uD.......D.......D...<4..D....Z..D.......D.......D.......D...<...D...<...D...D...F.......D.......D....X..D...D0..D.......D..Rich.D..................PE..d...m,&g.........." ...).....N......l........................................P............`..........................................U......DZ...........0.......I...........@......`|..p...............................@...............h............................text............................... ..`.rdata..v...........................@..@.data...H...........................@....pdata...I.......J...d..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

                                                                                                C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):168448
                                                                                                Entropy (8bit):6.180419967116705
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:dRH0518Qus3amg8D/O6tF+eie3cBHqveM:v0f8Q/xDmoiWcB
                                                                                                MD5:B80816EE9FCDB1D9076B73FD929FC96B
                                                                                                SHA1:FF9A5A12DCA164652419F5DEE082AF4A49B8A03B
                                                                                                SHA-256:D63B9FC13C99000CF77D02EE6E5E84C825D02A92D87B728CB601681B5EB21671
                                                                                                SHA-512:21CEBCA787A0FA0976B44315BF05B6EB4719306653DDBBFCE41231244219BCD288CD8045980BACF21481DDABCF464C82795147DB755148CC0E23167BBB874FD7
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e...e...e...f...e...`. .e...a...e...f...e...a...e...`...e.......e...d...e...d...e...m...e...e...e.......e.....e...g...e.Rich..e.................PE..d...G,&g.........." ...)..................................................................`.................................................>..x........0...p..................T.......p...............................@............ ...............................text...P........................... ..`.rdata...(... ...*..................@..@.data........P.......:..............@....pdata.......p.......F..............@..@.rsrc....0.......2...X..............@..@.reloc..T...........................@..B........................................................................................................................................................................................................................

                                                                                                C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\dxgi.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):716288
                                                                                                Entropy (8bit):6.218933147794801
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:tAZZrKVjXMzFheHhMwJXOI8mw03edresazpaek4Yc9edrtvL9suuuuuuaW5q77gt:6ZBsjXMzFhySwJXOIpOSsgpapXcqrNO7
                                                                                                MD5:8BFCA71ADD96D3DE75173D464792E2B9
                                                                                                SHA1:FE6BC3C30C26D6CE1C149B173B5D79C80102D5B9
                                                                                                SHA-256:5AAA6BAB20B7116B32BDDBA1DF216F7476557BB48397E1968A49EDE14E6C377D
                                                                                                SHA-512:B560415727D15CEEB09E5D9E39EA2B4043848BF4239FBF5068AAAC86F64B3D05D4E21EB197416DB0FB4172C68F782C05AEAE18AC70C27F80566040B6BA79159A
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........%.^.D...D...D...<...D...<..uD.......D.......D...<4..D....Z..D.......D.......D.......D...<...D...<...D...D...F.......D.......D....X..D...D0..D.......D..Rich.D..................PE..d...m,&g.........." ...).....N......l........................................P............`..........................................U......DZ...........0.......I...........@......`|..p...............................@...............h............................text............................... ..`.rdata..v...........................@..@.data...H...........................@....pdata...I.......J...d..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

                                                                                                C:\Windows\dxgi.dll

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\ep_setup.exe
                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):716288
                                                                                                Entropy (8bit):6.2189942777653355
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:NAZZrKVjXMzFheHhMwJXOI8mw03edresazpaek4Yc9edrtvL9suuuuuuaW5q77gt:aZBsjXMzFhySwJXOIpOSsgpapXcqrNO7
                                                                                                MD5:047B192A9C703FC5A2C2764DB869FF5C
                                                                                                SHA1:8C1494ACC3119FBF8332AE3B6A4F854E5B4D37CB
                                                                                                SHA-256:1971C57F88849B4069BE06D3784E0968755C916FA1564A3F8F05610D3B02CDCC
                                                                                                SHA-512:C7F80703DB23611D56618A8B1B4FFFF814A9264135E3846DF99120C0FFC16DA9D5B37C6465AC25D61D4F6E386D36B3DE640C57C460098F06778C658CC19454CC
                                                                                                Malicious:false
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Preview:MZ......................@...................................0...........!..L.!22622.4317.67.1.8bfca71add96d3deS mode....$........%.^.D...D...D...<...D...<..uD.......D.......D...<4..D....Z..D.......D.......D.......D...<...D...<...D...D...F.......D.......D....X..D...D0..D.......D..Rich.D..................PE..d...m,&g.........." ...).....N......l........................................P............`..........................................U......DZ...........0.......I...........@......`|..p...............................@...............h............................text............................... ..`.rdata..v...........................@..@.data...H...........................@....pdata...I.......J...d..............@..@.rsrc....0.......2..................@..@.reloc.......@......................@..B................................................................................................................................................................................................

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                Entropy (8bit):7.989614560554252
                                                                                                TrID:
                                                                                                • Win64 Executable GUI (202006/5) 92.65%
                                                                                                • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                • DOS Executable Generic (2002/1) 0.92%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:ep_setup.exe
                                                                                                File size:11'143'168 bytes
                                                                                                MD5:f164888a6fbc646b093f6af6663f4e63
                                                                                                SHA1:3c0bb9f9a4ad9b1c521ad9fc30ec03668577c97c
                                                                                                SHA256:8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67
                                                                                                SHA512:f1b2173962561d3051ec6b5aa2fc0260809e37e829255d95c8a085f990c18b724daff4372f646d505dabe3cc3013364d4316c2340527c75d140dbc6b5ebdeee1
                                                                                                SSDEEP:196608:Yobw/inDWIRviYy06kRUEsyiFo2ItCC2bO+WxNtTYnepC5YbM/rN2kGBlSrnU:dw/2Bvc06kiEviXTCIKNtUnqYYA/A
                                                                                                TLSH:E3B6332A77E505CAF97BC378A4B71586A1AABD072334D93E8660058E8D337F18C38775
                                                                                                File Content Preview:MZ......................@...............................................!..L.!22622.4317.67.1.8bfca71add96d3deS mode....$........ uO.A...A...A...9...A...9...A.......A.......A.......A.......A...9...A...9...A...9...A...A..NA.......A.......A...A...A.......A.

                                                                                                File Icon

                                                                                                Icon Hash:2086969696969600

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x140008c18
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x140000000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                Time Stamp:0x67262C76 [Sat Nov 2 13:43:18 2024 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:6
                                                                                                OS Version Minor:0
                                                                                                File Version Major:6
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:6
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:f1499aa854493f33c80eb31e0ab8ae92

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                dec eax
                                                                                                sub esp, 28h
                                                                                                call 00007F4EB4B86A00h
                                                                                                dec eax
                                                                                                add esp, 28h
                                                                                                jmp 00007F4EB4B8662Fh
                                                                                                int3
                                                                                                int3
                                                                                                dec eax
                                                                                                sub esp, 28h
                                                                                                call 00007F4EB4B87098h
                                                                                                test eax, eax
                                                                                                je 00007F4EB4B867D3h
                                                                                                dec eax
                                                                                                mov eax, dword ptr [00000030h]
                                                                                                dec eax
                                                                                                mov ecx, dword ptr [eax+08h]
                                                                                                jmp 00007F4EB4B867B7h
                                                                                                dec eax
                                                                                                cmp ecx, eax
                                                                                                je 00007F4EB4B867C6h
                                                                                                xor eax, eax
                                                                                                dec eax
                                                                                                cmpxchg dword ptr [0002E420h], ecx
                                                                                                jne 00007F4EB4B867A0h
                                                                                                xor al, al
                                                                                                dec eax
                                                                                                add esp, 28h
                                                                                                ret
                                                                                                mov al, 01h
                                                                                                jmp 00007F4EB4B867A9h
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                dec eax
                                                                                                sub esp, 28h
                                                                                                test ecx, ecx
                                                                                                jne 00007F4EB4B867B9h
                                                                                                mov byte ptr [0002E409h], 00000001h
                                                                                                call 00007F4EB4B86D85h
                                                                                                call 00007F4EB4B8A410h
                                                                                                test al, al
                                                                                                jne 00007F4EB4B867B6h
                                                                                                xor al, al
                                                                                                jmp 00007F4EB4B867C6h
                                                                                                call 00007F4EB4B95BEFh
                                                                                                test al, al
                                                                                                jne 00007F4EB4B867BBh
                                                                                                xor ecx, ecx
                                                                                                call 00007F4EB4B8A420h
                                                                                                jmp 00007F4EB4B8679Ch
                                                                                                mov al, 01h
                                                                                                dec eax
                                                                                                add esp, 28h
                                                                                                ret
                                                                                                int3
                                                                                                int3
                                                                                                inc eax
                                                                                                push ebx
                                                                                                dec eax
                                                                                                sub esp, 20h
                                                                                                cmp byte ptr [0002E3D0h], 00000000h
                                                                                                mov ebx, ecx
                                                                                                jne 00007F4EB4B86819h
                                                                                                cmp ecx, 01h
                                                                                                jnbe 00007F4EB4B8681Ch
                                                                                                call 00007F4EB4B8700Eh
                                                                                                test eax, eax
                                                                                                je 00007F4EB4B867DAh
                                                                                                test ebx, ebx
                                                                                                jne 00007F4EB4B867D6h
                                                                                                dec eax
                                                                                                lea ecx, dword ptr [0002E3BAh]
                                                                                                call 00007F4EB4B95A0Eh
                                                                                                test eax, eax
                                                                                                jne 00007F4EB4B867C2h
                                                                                                dec eax
                                                                                                lea ecx, dword ptr [0002E3C2h]
                                                                                                call 00007F4EB4B867FEh

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x34bfc0xb4.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000xa68508.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x380000x1aac.pdata
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xaa30000x6a4.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x328b00x70.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x327700x140.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x260000x508.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x24f700x250001f4fc22d148d6d3135755eea43c697e1False0.5402172191722973data6.471346143888643IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .rdata0x260000xfd200xfe00aa96a95a51639aa280d1a0d77a982305False0.48357529527559057data5.3687460432728695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .data0x360000x1f540xc0070729d2ec4f7f720830ce88e7a8defb2False0.138671875data1.9570761316523926IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .pdata0x380000x1aac0x1c00bd20803e644778b5c525e4bcf2d8d029False0.46861049107142855PEX Binary Archive5.289454763459752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0x3a0000xa685080xa68600b66e28f0c9dd840431c3f09702e7e354unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .reloc0xaa30000x6a40x8005ea92cc594f6f022327f422ccdb67dfdFalse0.51025390625data5.001664792945668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                RT_STRING0xaa1ed00x13edataChineseTaiwan0.7327044025157232
                                                                                                RT_STRING0xa9a1400x2aedataGermanGermany0.43731778425655976
                                                                                                RT_STRING0xa998c00x2a2dataEnglishUnited States0.4169139465875371
                                                                                                RT_STRING0xa9abb00x2b8dataFrenchFrance0.43103448275862066
                                                                                                RT_STRING0xa9b5400x280dataHungarianHungary0.46875
                                                                                                RT_STRING0xa9c7400x1b2dataJapaneseJapan0.6428571428571429
                                                                                                RT_STRING0xa9cc980x170dataKoreanNorth Korea0.7010869565217391
                                                                                                RT_STRING0xa9cc980x170dataKoreanSouth Korea0.7010869565217391
                                                                                                RT_STRING0xa9da880x294dataDutchNetherlands0.4393939393939394
                                                                                                RT_STRING0xa9e3c00x2acdataPolishPoland0.4473684210526316
                                                                                                RT_STRING0xa9ed480x2a2dataPortugueseBrazil0.4287833827893175
                                                                                                RT_STRING0xa9f5900x294dataRomanianRomania0.4348484848484849
                                                                                                RT_STRING0xa9ff200x2acdataRussianRussia0.4780701754385965
                                                                                                RT_STRING0xaa08000x2c4dataTurkishTurkey0.4477401129943503
                                                                                                RT_STRING0xa9be680x292dataIndonesianIndonesia0.4133738601823708
                                                                                                RT_STRING0xaa11c80x2fedataUkrainianUkrain0.4804177545691906
                                                                                                RT_STRING0xa9d1780x2c8dataLithuanianLithuania0.45365168539325845
                                                                                                RT_STRING0xaa1b400x132dataChineseChina0.7320261437908496
                                                                                                RT_STRING0xaa20100x272dataChineseTaiwan0.6597444089456869
                                                                                                RT_STRING0xa9a3f00x7bcdataGermanGermany0.33636363636363636
                                                                                                RT_STRING0xa99b680x5d4dataEnglishUnited States0.36126005361930297
                                                                                                RT_STRING0xa9ae680x6d2dataFrenchFrance0.35051546391752575
                                                                                                RT_STRING0xa9b7c00x6a2dataHungarianHungary0.37809187279151946
                                                                                                RT_STRING0xa9c8f80x39cdataJapaneseJapan0.5703463203463204
                                                                                                RT_STRING0xa9ce080x36cdataKoreanNorth Korea0.5753424657534246
                                                                                                RT_STRING0xa9ce080x36cdataKoreanSouth Korea0.5753424657534246
                                                                                                RT_STRING0xa9dd200x69adataDutchNetherlands0.3502958579881657
                                                                                                RT_STRING0xa9e6700x6d2dataPolishPoland0.3722794959908362
                                                                                                RT_STRING0xa9eff00x59edataPortugueseBrazil0.3588317107093185
                                                                                                RT_STRING0xa9f8280x6f8dataRomanianRomania0.34697309417040356
                                                                                                RT_STRING0xaa01d00x62edataRussianRussia0.3950695322376738
                                                                                                RT_STRING0xaa0ac80x700dataTurkishTurkey0.34933035714285715
                                                                                                RT_STRING0xa9c1000x63cdataIndonesianIndonesia0.3533834586466165
                                                                                                RT_STRING0xaa14c80x678dataUkrainianUkrain0.39492753623188404
                                                                                                RT_STRING0xa9d4400x648dataLithuanianLithuania0.36691542288557216
                                                                                                RT_STRING0xaa1c780x258dataChineseChina0.66
                                                                                                RT_RCDATA0x3a7e00xa5f0d9Zip archive data, at least v2.0 to extract, compression method=deflateEnglishUnited States0.9992485046386719
                                                                                                RT_VERSION0x3a4600x380dataEnglishUnited States0.4341517857142857
                                                                                                RT_MANIFEST0xaa22880x27eXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5517241379310345

                                                                                                Imports

                                                                                                DLLImport
                                                                                                KERNEL32.dllTerminateProcess, RemoveDirectoryW, GetModuleFileNameW, FindClose, K32GetProcessImageFileNameW, GetUserPreferredUILanguages, OpenProcess, MultiByteToWideChar, CreateThread, K32EnumProcesses, GetCurrentDirectoryW, GetProcAddress, GetCurrentProcessId, GetModuleHandleW, FreeLibrary, CopyFileW, CreateSymbolicLinkW, lstrcmpW, MoveFileW, GetProcessTimes, LoadLibraryExW, WriteConsoleW, SetEndOfFile, WriteFile, HeapSize, FlushFileBuffers, GetProcessHeap, GetStringTypeW, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, ReadConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FindNextFileW, SetLastError, FindFirstFileW, GetExitCodeProcess, MapViewOfFile, CreateFileMappingW, LocalFree, GetWindowsDirectoryW, FindResourceW, LoadResource, CloseHandle, DeleteFileW, LockResource, GetLastError, Sleep, CreateEventW, FreeResource, UnmapViewOfFile, GetSystemDirectoryW, CreateFileW, LocalAlloc, WaitForSingleObject, GetCurrentProcess, GetFileSizeEx, SizeofResource, ReadFile, HeapReAlloc, CreateDirectoryW, LCMapStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, GetFileType, HeapFree, HeapAlloc, GetStdHandle, GetModuleHandleExW, ExitProcess, RtlPcToFileHeader, RaiseException, EncodePointer, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, RtlUnwindEx, GetStartupInfoW, IsDebuggerPresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead
                                                                                                USER32.dllExitWindowsEx, GetWindowThreadProcessId, SetProcessDpiAwarenessContext, SendMessageTimeoutW, MessageBoxW, SendMessageW, LoadStringW, FindWindowW
                                                                                                ADVAPI32.dllRevertToSelf, EqualSid, RegDeleteKeyW, AllocateAndInitializeSid, RegDeleteKeyValueW, RegCreateKeyExW, CreateProcessWithTokenW, ImpersonateLoggedOnUser, RegDeleteTreeW, RegSetValueExW, FreeSid, CheckTokenMembership, DuplicateTokenEx, RegOpenKeyW, RegQueryValueExW, GetTokenInformation, LookupPrivilegeValueW, AdjustTokenPrivileges, RegCloseKey, OpenProcessToken, RegOpenKeyExW, RegGetValueW
                                                                                                SHELL32.dllSHGetFolderPathW, ShellExecuteW, SHFileOperationW, CommandLineToArgvW, ShellExecuteExW
                                                                                                ole32.dllCoInitialize, CoUninitialize, CoCreateInstance
                                                                                                RstrtMgr.DLLRmRegisterResources, RmGetList, RmStartSession, RmShutdown
                                                                                                VERSION.dllVerQueryValueW
                                                                                                SHLWAPI.dllPathRemoveExtensionW, PathRemoveFileSpecW, PathStripPathW, PathFileExistsW

                                                                                                Possible Origin

                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                ChineseTaiwan
                                                                                                GermanGermany
                                                                                                EnglishUnited States
                                                                                                FrenchFrance
                                                                                                HungarianHungary
                                                                                                JapaneseJapan
                                                                                                KoreanNorth Korea
                                                                                                KoreanSouth Korea
                                                                                                DutchNetherlands
                                                                                                PolishPoland
                                                                                                PortugueseBrazil
                                                                                                RomanianRomania
                                                                                                RussianRussia
                                                                                                TurkishTurkey
                                                                                                IndonesianIndonesia
                                                                                                UkrainianUkrain
                                                                                                LithuanianLithuania
                                                                                                ChineseChina

                                                                                                Network Behavior

                                                                                                Suricata IDS Alerts

                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                2024-12-19T19:43:29.659700+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.244979020.233.83.145443TCP

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Dec 19, 2024 19:43:27.352884054 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:27.352917910 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:27.353005886 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:27.374886036 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:27.374907017 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:28.960077047 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:28.961157084 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:28.962199926 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:28.962229967 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:28.963490963 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:28.963567972 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:28.965950012 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:28.966026068 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:28.966095924 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:28.966113091 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:28.967360020 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:29.010523081 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:29.051330090 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:29.659673929 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:29.659833908 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:29.659920931 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:29.659982920 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:29.660043955 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:29.660054922 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:29.660111904 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:29.660727024 CET49790443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:29.660757065 CET4434979020.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:29.661313057 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:29.661355972 CET4434979220.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:29.664129019 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:29.665093899 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:29.665107965 CET4434979220.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:31.294559002 CET4434979220.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:31.294641018 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:31.296132088 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:31.296140909 CET4434979220.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:31.296509981 CET4434979220.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:31.296559095 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:31.297295094 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:31.297363997 CET4434979220.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:31.297419071 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:31.297451973 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:31.343324900 CET4434979220.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:31.975927114 CET4434979220.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:31.975980043 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:31.976448059 CET4434979220.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:31.976502895 CET4434979220.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:31.976541996 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:31.976567030 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:32.808464050 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:32.808489084 CET4434979220.233.83.145192.168.2.24
                                                                                                Dec 19, 2024 19:43:32.808501959 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:32.808686972 CET49792443192.168.2.2420.233.83.145
                                                                                                Dec 19, 2024 19:43:32.947065115 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:32.947096109 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:32.948184013 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:32.949090958 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:32.949111938 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:34.306478024 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:34.309084892 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:34.310456038 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:34.310465097 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:34.312072992 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:34.312146902 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:36.061237097 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:36.061451912 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:36.071146011 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:36.083266020 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:36.083276987 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:36.084228992 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:36.422583103 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:36.422640085 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:36.422960043 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:36.423306942 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:36.429371119 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:36.429388046 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:36.429801941 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:36.429979086 CET44349794185.199.110.133192.168.2.24
                                                                                                Dec 19, 2024 19:43:36.430605888 CET49794443192.168.2.24185.199.110.133
                                                                                                Dec 19, 2024 19:43:36.430625916 CET49794443192.168.2.24185.199.110.133

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Dec 19, 2024 19:43:07.142431021 CET6108853192.168.2.241.1.1.1
                                                                                                Dec 19, 2024 19:43:09.754640102 CET6108853192.168.2.241.1.1.1
                                                                                                Dec 19, 2024 19:43:27.196014881 CET5504553192.168.2.241.1.1.1
                                                                                                Dec 19, 2024 19:43:27.336653948 CET53550451.1.1.1192.168.2.24
                                                                                                Dec 19, 2024 19:43:32.808953047 CET5504553192.168.2.241.1.1.1
                                                                                                Dec 19, 2024 19:43:32.946100950 CET53550451.1.1.1192.168.2.24

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Dec 19, 2024 19:43:07.142431021 CET192.168.2.241.1.1.10x7d38Standard query (0)srtb.msn.comA (IP address)IN (0x0001)false
                                                                                                Dec 19, 2024 19:43:09.754640102 CET192.168.2.241.1.1.10xe9ebStandard query (0)tse1.mm.bing.netA (IP address)IN (0x0001)false
                                                                                                Dec 19, 2024 19:43:27.196014881 CET192.168.2.241.1.1.10x1261Standard query (0)github.comA (IP address)IN (0x0001)false
                                                                                                Dec 19, 2024 19:43:32.808953047 CET192.168.2.241.1.1.10xdb76Standard query (0)objects.githubusercontent.comA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Dec 19, 2024 19:43:07.279350996 CET1.1.1.1192.168.2.240x7d38No error (0)srtb.msn.comwww.msn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                Dec 19, 2024 19:43:07.279350996 CET1.1.1.1192.168.2.240x7d38No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                Dec 19, 2024 19:43:09.892512083 CET1.1.1.1192.168.2.240xe9ebNo error (0)tse1.mm.bing.netmm-mm.bing.net.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                Dec 19, 2024 19:43:09.892512083 CET1.1.1.1192.168.2.240xe9ebNo error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
                                                                                                Dec 19, 2024 19:43:09.892512083 CET1.1.1.1192.168.2.240xe9ebNo error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
                                                                                                Dec 19, 2024 19:43:27.336653948 CET1.1.1.1192.168.2.240x1261No error (0)github.com20.233.83.145A (IP address)IN (0x0001)false
                                                                                                Dec 19, 2024 19:43:32.946100950 CET1.1.1.1192.168.2.240xdb76No error (0)objects.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                Dec 19, 2024 19:43:32.946100950 CET1.1.1.1192.168.2.240xdb76No error (0)objects.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                Dec 19, 2024 19:43:32.946100950 CET1.1.1.1192.168.2.240xdb76No error (0)objects.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                Dec 19, 2024 19:43:32.946100950 CET1.1.1.1192.168.2.240xdb76No error (0)objects.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • github.com
                                                                                                • objects.githubusercontent.com

                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.244979020.233.83.1454439012C:\Windows\explorer.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-12-19 18:43:29 UTC126OUTGET /valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe HTTP/1.1
                                                                                                User-Agent: ExplorerPatcher
                                                                                                Host: github.com
                                                                                                2024-12-19 18:43:29 UTC547INHTTP/1.1 302 Found
                                                                                                Server: GitHub.com
                                                                                                Date: Thu, 19 Dec 2024 18:42:08 GMT
                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                                                Location: https://github.com/valinet/ExplorerPatcher/releases/download/22621.4317.67.1_b93337a/ep_setup.exe
                                                                                                Cache-Control: no-cache
                                                                                                Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                                                X-Frame-Options: deny
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 0
                                                                                                Referrer-Policy: no-referrer-when-downgrade
                                                                                                2024-12-19 18:43:29 UTC3283INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                                                                Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
                                                                                                2024-12-19 18:43:29 UTC777INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 67 68 5f 73 65 73 73 3d 78 43 75 59 6f 62 73 6d 77 79 49 67 53 76 4a 39 36 44 62 4f 31 33 66 6f 6d 4a 73 35 74 5a 55 53 45 56 68 6d 41 6b 79 6f 68 6a 59 41 25 32 42 6b 25 32 46 72 42 58 36 25 32 46 59 43 62 74 68 78 74 78 6b 51 70 52 4d 77 73 62 41 6c 50 68 38 54 4b 39 4c 43 51 4c 75 7a 46 73 4c 64 73 75 68 50 5a 25 32 46 69 58 64 50 71 56 25 32 42 25 32 42 61 47 54 78 49 25 32 46 4f 71 6c 53 74 68 50 50 68 6d 41 78 79 53 34 37 39 33 72 4b 57 39 77 6c 51 36 57 66 4c 25 32 42 4f 39 36 35 34 63 51 78 44 37 4f 76 33 38 53 50 57 6d 64 30 53 59 38 62 63 33 71 49 68 4c 39 35 6b 6d 58 50 62 61 6b 68 43 6b 58 4e 6c 4d 7a 6f 6c 77 79 4d 44 42 59 59 74 32 55 6e 72 65 50 66 55 49 4f 54 25 32 42 72 48 4f 4c 66 52 70 6e 43 4a 66
                                                                                                Data Ascii: Set-Cookie: _gh_sess=xCuYobsmwyIgSvJ96DbO13fomJs5tZUSEVhmAkyohjYA%2Bk%2FrBX6%2FYCbthxtxkQpRMwsbAlPh8TK9LCQLuzFsLdsuhPZ%2FiXdPqV%2B%2BaGTxI%2FOqlSthPPhmAxyS4793rKW9wlQ6WfL%2BO9654cQxD7Ov38SPWmd0SY8bc3qIhL95kmXPbakhCkXNlMzolwyMDBYYt2UnrePfUIOT%2BrHOLfRpnCJf


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.244979220.233.83.1454439012C:\Windows\explorer.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-12-19 18:43:31 UTC167OUTGET /valinet/ExplorerPatcher/releases/download/22621.4317.67.1_b93337a/ep_setup.exe HTTP/1.1
                                                                                                User-Agent: ExplorerPatcher
                                                                                                Host: github.com
                                                                                                Connection: Keep-Alive
                                                                                                2024-12-19 18:43:31 UTC959INHTTP/1.1 302 Found
                                                                                                Server: GitHub.com
                                                                                                Date: Thu, 19 Dec 2024 18:42:09 GMT
                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                                                Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/394318710/5e5bb508-cbdc-44fb-9830-5b535df6ab52?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241219%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241219T184209Z&X-Amz-Expires=300&X-Amz-Signature=6d698d818240e4899e410aa379d337e10eebc51c67064cb29ff3b029bc673213&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream
                                                                                                Cache-Control: no-cache
                                                                                                Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                                                X-Frame-Options: deny
                                                                                                X-Content-Type-Options: nosniff
                                                                                                X-XSS-Protection: 0
                                                                                                Referrer-Policy: no-referrer-when-downgrade
                                                                                                2024-12-19 18:43:31 UTC3380INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                                                                Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.2449794185.199.110.1334439012C:\Windows\explorer.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-12-19 18:43:36 UTC579OUTGET /github-production-release-asset-2e65be/394318710/5e5bb508-cbdc-44fb-9830-5b535df6ab52?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241219%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241219T184209Z&X-Amz-Expires=300&X-Amz-Signature=6d698d818240e4899e410aa379d337e10eebc51c67064cb29ff3b029bc673213&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dep_setup.exe&response-content-type=application%2Foctet-stream HTTP/1.1
                                                                                                User-Agent: ExplorerPatcher
                                                                                                Connection: Keep-Alive
                                                                                                Host: objects.githubusercontent.com
                                                                                                2024-12-19 18:43:36 UTC802INHTTP/1.1 200 OK
                                                                                                Connection: close
                                                                                                Content-Length: 11143168
                                                                                                Content-Type: application/octet-stream
                                                                                                Last-Modified: Sat, 02 Nov 2024 13:44:53 GMT
                                                                                                ETag: "0x8DCFB44880C75E8"
                                                                                                Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                                                                                                x-ms-request-id: 8f07ddc9-a01e-000c-442d-2d765d000000
                                                                                                x-ms-version: 2024-08-04
                                                                                                x-ms-creation-time: Sat, 02 Nov 2024 13:44:53 GMT
                                                                                                x-ms-lease-status: unlocked
                                                                                                x-ms-lease-state: available
                                                                                                x-ms-blob-type: BlockBlob
                                                                                                Content-Disposition: attachment; filename=ep_setup.exe
                                                                                                x-ms-server-encrypted: true
                                                                                                Via: 1.1 varnish, 1.1 varnish
                                                                                                Fastly-Restarts: 1
                                                                                                Accept-Ranges: bytes
                                                                                                Age: 6416
                                                                                                Date: Thu, 19 Dec 2024 18:43:36 GMT
                                                                                                X-Served-By: cache-iad-kiad7000060-IAD, cache-nyc-kteb1890022-NYC
                                                                                                X-Cache: HIT, HIT
                                                                                                X-Cache-Hits: 111411, 0
                                                                                                X-Timer: S1734633816.233070,VS0,VE1
                                                                                                2024-12-19 18:43:36 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 32 32 36 32 32 2e 34 33 31 37 2e 36 37 2e 31 2e 38 62 66 63 61 37 31 61 64 64 39 36 64 33 64 65 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 20 75 4f 83 41 1b 1c 83 41 1b 1c 83 41 1b 1c c8 39 18 1d 86 41 1b 1c c8 39 1e 1d 14 41 1b 1c c8 c4 1f 1d 85 41 1b 1c 93 c5 18 1d 8a 41 1b 1c 93 c5 1f 1d 93 41 1b 1c 93 c5 1e 1d ab 41 1b 1c c8 39 1f 1d 8c 41 1b 1c c8 39 1d 1d 82 41 1b 1c c8 39 1a 1d 96 41 1b 1c 83 41 1a 1c 4e 41 1b 1c c8 c4 13 1d 87 41 1b 1c c8 c4 e4 1c 82 41 1b 1c 83 41 8c 1c 91 41 1b 1c c8 c4 19 1d 82 41 1b
                                                                                                Data Ascii: MZ@!L!22622.4317.67.1.8bfca71add96d3deS mode.$ uOAAA9A9AAAAA9A9A9AANAAAAAA
                                                                                                2024-12-19 18:43:36 UTC1378INData Raw: 20 ba 26 00 00 00 33 c9 ff 15 c8 52 02 00 4c 8d 05 a9 f7 02 00 ba 04 01 00 00 48 8d 8d e0 01 00 00 e8 24 3f 01 00 4c 8d 05 b9 f7 02 00 ba 04 01 00 00 48 8d 8d e0 01 00 00 e8 0c 3f 01 00 ba 04 01 00 00 48 8d 8d 00 06 00 00 ff 15 96 50 02 00 4c 8d 05 a7 f7 02 00 ba 04 01 00 00 48 8d 8d 00 06 00 00 e8 e2 3e 01 00 ba 04 01 00 00 48 8d 8d 10 08 00 00 ff 15 c4 50 02 00 4c 8d 05 95 f7 02 00 ba 04 01 00 00 48 8d 8d 10 08 00 00 e8 b8 3e 01 00 48 8d 0d 9d f7 02 00 83 fb 03 48 8d 05 a3 f7 02 00 ba 28 0a 00 00 48 0f 44 c1 4c 8d 4d d0 48 89 44 24 40 4c 8d 05 72 f8 02 00 48 8d 45 d0 48 89 44 24 38 48 8d 8d 20 0a 00 00 48 8d 45 d0 48 89 44 24 30 48 8d 05 82 f7 02 00 48 89 44 24 28 48 8d 85 e0 01 00 00 48 89 44 24 20 e8 1c fe ff ff 48 8d 45 d0 ba 28 0a 00 00 4c 8d 4d d0
                                                                                                Data Ascii: &3RLH$?LH?HPLH>HPLH>HH(HDLMHD$@LrHEHD$8H HEHD$0HHD$(HHD$ HE(LM
                                                                                                2024-12-19 18:43:36 UTC1378INData Raw: 8b 0d aa 53 03 00 48 8d 44 24 54 4c 8d 4c 24 70 48 89 44 24 20 4c 8d 44 24 50 c7 44 24 50 10 00 00 00 48 8d 54 24 58 ff 15 27 4d 02 00 83 7c 24 54 00 75 14 8b 0d 76 53 03 00 45 33 c0 ba 01 00 00 00 ff 15 1c 4d 02 00 33 c0 48 8b 8c 24 30 2a 00 00 48 33 cc e8 e2 6f 00 00 48 81 c4 48 2a 00 00 c3 cc cc cc cc cc cc cc cc cc cc 40 55 56 57 41 56 41 57 48 8d ac 24 40 fa ff ff 48 81 ec c0 06 00 00 48 8b 05 b2 48 03 00 48 33 c4 48 89 85 b0 05 00 00 4d 8b f0 48 8b f2 8b f9 33 d2 41 b8 04 01 00 00 48 8d 8d a0 03 00 00 e8 ac 38 02 00 33 d2 48 8d 8d 90 01 00 00 41 b8 04 01 00 00 e8 98 38 02 00 ba 04 01 00 00 48 8d 8d 90 01 00 00 ff 15 06 4b 02 00 4c 8d 05 b7 f8 02 00 ba 04 01 00 00 48 8d 8d 90 01 00 00 e8 fa 38 01 00 45 33 ff 85 ff 74 7f 33 d2 48 8d 8d 90 01 00 00 41
                                                                                                Data Ascii: SHD$TLL$pHD$ LD$PD$PHT$X'M|$TuvSE3M3H$0*H3oHH*@UVWAVAWH$@HHHH3HMH3AH83HA8HKLH8E3t3HA
                                                                                                2024-12-19 18:43:36 UTC1378INData Raw: 41 b9 01 00 00 00 48 89 44 24 20 45 33 c0 ff 15 0e 44 02 00 8b d8 85 c0 0f 85 b6 02 00 00 48 8b 4d cf 48 8d 45 df c7 44 24 28 04 00 00 00 48 8d 15 dd f5 02 00 41 b9 04 00 00 00 48 89 44 24 20 45 33 c0 c7 45 df 01 00 00 00 ff 15 d2 43 02 00 8b d8 85 c0 0f 85 7a 02 00 00 48 8b 4d cf 48 8d 45 df c7 44 24 28 04 00 00 00 48 8d 15 b9 f5 02 00 41 b9 04 00 00 00 48 89 44 24 20 45 33 c0 c7 45 df 01 00 00 00 ff 15 96 43 02 00 8b d8 85 c0 0f 85 3e 02 00 00 49 8d 4d 02 ff 15 aa 47 02 00 4c 8d 05 9b f5 02 00 ba 02 01 00 00 49 8d 4d 02 e8 d1 33 01 00 33 d2 49 8d 4d 02 41 b8 02 00 00 00 ff 15 6b 44 02 00 48 89 45 c7 48 8b f8 48 85 c0 0f 84 a2 01 00 00 48 89 b4 24 f0 00 00 00 ba 01 00 00 00 41 b8 10 00 00 00 4c 89 b4 24 08 01 00 00 48 8b c8 ff 15 2f 45 02 00 48 8b d0 48
                                                                                                Data Ascii: AHD$ E3DHMHED$(HAHD$ E3ECzHMHED$(HAHD$ E3EC>IMGLIM33IMAkDHEHHH$AL$H/EHH


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:1
                                                                                                Start time:13:43:11
                                                                                                Start date:19/12/2024
                                                                                                Path:C:\Users\user\Desktop\ep_setup.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Users\user\Desktop\ep_setup.exe"
                                                                                                Imagebase:0x7ff611e90000
                                                                                                File size:11'143'168 bytes
                                                                                                MD5 hash:F164888A6FBC646B093F6AF6663F4E63
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:2
                                                                                                Start time:13:43:12
                                                                                                Start date:19/12/2024
                                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\system32\taskkill.exe" /f /im explorer.exe
                                                                                                Imagebase:0x7ff7026a0000
                                                                                                File size:114'688 bytes
                                                                                                MD5 hash:050ED22BB515A81ED6FC73D042CE5DB4
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:13:43:12
                                                                                                Start date:19/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6038b0000
                                                                                                File size:1'040'384 bytes
                                                                                                MD5 hash:9698384842DA735D80D278A427A229AB
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:4
                                                                                                Start time:13:43:13
                                                                                                Start date:19/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
                                                                                                Imagebase:0x7ff719cb0000
                                                                                                File size:98'304 bytes
                                                                                                MD5 hash:FF2A4319FA5531F0D7B98DBBA9ABBD4A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:5
                                                                                                Start time:13:43:13
                                                                                                Start date:19/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6038b0000
                                                                                                File size:1'040'384 bytes
                                                                                                MD5 hash:9698384842DA735D80D278A427A229AB
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:6
                                                                                                Start time:13:43:16
                                                                                                Start date:19/12/2024
                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
                                                                                                Imagebase:0x7ff719cb0000
                                                                                                File size:98'304 bytes
                                                                                                MD5 hash:FF2A4319FA5531F0D7B98DBBA9ABBD4A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:7
                                                                                                Start time:13:43:16
                                                                                                Start date:19/12/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6038b0000
                                                                                                File size:1'040'384 bytes
                                                                                                MD5 hash:9698384842DA735D80D278A427A229AB
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:8
                                                                                                Start time:13:43:16
                                                                                                Start date:19/12/2024
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
                                                                                                Imagebase:0x7ff7fc750000
                                                                                                File size:45'056 bytes
                                                                                                MD5 hash:AF0CDEF5F6ECB9B8EBEF4E480EBAAA5A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:9
                                                                                                Start time:13:43:16
                                                                                                Start date:19/12/2024
                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
                                                                                                Imagebase:0x7ff7fc750000
                                                                                                File size:45'056 bytes
                                                                                                MD5 hash:AF0CDEF5F6ECB9B8EBEF4E480EBAAA5A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:12
                                                                                                Start time:13:43:17
                                                                                                Start date:19/12/2024
                                                                                                Path:C:\Windows\explorer.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\explorer.exe"
                                                                                                Imagebase:0x7ff63b640000
                                                                                                File size:5'583'864 bytes
                                                                                                MD5 hash:E2D1F700066D39814081317462A0FD74
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:14
                                                                                                Start time:13:43:19
                                                                                                Start date:19/12/2024
                                                                                                Path:C:\Windows\explorer.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\explorer.exe" /NoUACCheck
                                                                                                Imagebase:0x7ff63b640000
                                                                                                File size:5'583'864 bytes
                                                                                                MD5 hash:E2D1F700066D39814081317462A0FD74
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:20
                                                                                                Start time:13:43:25
                                                                                                Start date:19/12/2024
                                                                                                Path:C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_524.30502.30.0_x64__cw5n1h2txyewy\WidgetBoard.exe" -RegisterProcessAsComServer -ServerName:Microsoft.Windows.WidgetBoardServer
                                                                                                Imagebase:0x7ff7ca420000
                                                                                                File size:60'336 bytes
                                                                                                MD5 hash:FE1C0C15EF5C6C2B0A1508BF23EAD6CE
                                                                                                Has elevated privileges:false
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Non-executed Functions

                                                                                                  Function 00007FF611E98E6C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000001.00000002.11856337533.00007FF611E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611E90000, based on PE: true
                                                                                                  • Associated: 00000001.00000002.11856318874.00007FF611E90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.11856370316.00007FF611EB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.11856400426.00007FF611EC6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.11856426487.00007FF611EC8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000001.00000002.11856426487.00007FF6128C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_1_2_7ff611e90000_ep_setup.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2933794660-0
                                                                                                  • Opcode ID: 68e3125686cfe63efa0959c9405ff9fad71e5682ea60b199cc3bad7d618fc792
                                                                                                  • Instruction ID: bd8ed1ef6361adba409fbe224b39bfa415f4eeb410fc96b89719b70ba92813fc
                                                                                                  • Opcode Fuzzy Hash: 68e3125686cfe63efa0959c9405ff9fad71e5682ea60b199cc3bad7d618fc792
                                                                                                  • Instruction Fuzzy Hash: 44117322B14F0589EB00CFA0E8552BA33B8F75DB68F040D31DA6D82764DF3CD1548740

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD6566D980 Relevance: 358.4, APIs: 83, Strings: 121, Instructions: 1429libraryloaderthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$Library$CreateLoad$Thread$Module$Virtual$Protect$Handle$Free$Event$CurrentInformationProcess$DirectoryExit$CloseFileFindPathQuery$CommandCreate_CriticalDataEntryEnumErrorExistsFirstFolderImageInitializeL32_LastMutexOpenSectionValueWindows_invalid_parameter_noinfo
                                                                                                  • String ID: API-MS-WIN-CORE-REGISTRY-L1-1-0.DLL$API-MS-WIN-NTUSER-RECTANGLE-L1-1-0.DLL$API-MS-WIN-SHCORE-REGISTRY-L1-1-0.DLL$Attempting to download symbol data; for now, the program may have limited functionality.$CascadeWindows$CloseThemeData$CoCreateInstance$CreateWindowExW$CreateWindowInBand$DeleteMenu$DllGetClassObject$DrawThemeBackground$DrawThemeTextEx$DwmUpdateThumbnailProperties$EP Service Window thread$Failed to install hooks. rv = %d$GetClientRect$GetSystemMetrics$GetThemeMargins$GetThemeMetric$GetWindowBand$Global\EP_Weather_Killswitch_{A6EA9C2D-4982-4827-9204-0AC532959F6D}$ITrayUIHost = %llX$Initialized taskbar centering module.$InputSwitch.dll$Installed hooks.$IsOS$LoadLibraryExW$LoadMenuW$Loaded symbols$MulDiv$NtUserFindWindowEx$Open Start on monitor thread$OpenThemeDataForDpi$PeopleBand.dll$QISearch$RegCreateKeyExW$RegGetValueW$RegOpenKeyExW$RegSetValueExW$RegisterHotKey$RoGetActivationFactory$Running on Windows %d, OS Build %d.%d.%d.%d.$SHCORE.dll$SHELL32_CanDisplayWin8CopyDialog$SHGetValueW$SHLWAPI.dll$SLGetWindowsInformationDWORD$SOFTWARE\Microsoft\TabletTip\1.7$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Search$SendMessageW$SetRect$SetWindowBand$SetWindowCompositionAttribute$Setup bthprops functions done$Setup combase functions done$Setup explorer functions done$Setup inputswitch functions done$Setup peopleband functions done$Setup shell32 functions done$Setup stobject functions done$Setup twinui functions done$Setup user32 functions done$Setup uxtheme functions done$Setup windows.storage functions done$ShellExecuteExW$ShellExecuteW$Software\ExplorerPatcher$Software\ExplorerPatcher\sws$StartTileData.dll$TileWindows$TrackPopupMenu$TrackPopupMenuEx$USER32.DLL$USER32.dll$[Extra] Finished running entry point.$[Extra] Found library: %p.$[Extra] LoadLibraryW failed with 0x%x.$[Extra] Running entry point...$[IME] Context menu patch status: %d$[TB] Unsupported build$\ExplorerPatcher$\ep_extra.dll$api-ms-win-core-com-l1-1-0.dll$api-ms-win-core-largeinteger-l1-1-0.dll$api-ms-win-core-libraryloader-l1-2-0.dll$api-ms-win-core-registry-l1-1-0.dll$api-ms-win-core-shlwapi-obsolete-l1-1-0.dll$api-ms-win-core-winrt-l1-1-0.dll$api-ms-win-ntuser-sysparams-l1-1-0.dll$api-ms-win-shcore-sysinfo-l1-1-0.dll$bthprops.cpl$combase.dll$dwmapi.dll$ep_extra_EntryPoint$explorer.exe!TrayUI_CreateInstance() = %llX$ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll$ext-ms-win-security-slc-l1-1-0.dll$ext-ms-win-shell-exports-internal-l1-1-0.dll$pnidui.dll$shcore.dll$shell32.dll$shell32.dll$slc.dll$stobject.dll$twinui.dll$user32.dll$user32.dll$uxtheme.dll$uxtheme.dll$win32u.dll$windows.storage.dll$windowsudk.shellcommon.dll$xx??x??xxx????xx$xxx????xxx????x????xx$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                                                                                                  • API String ID: 1749953344-3583755957
                                                                                                  • Opcode ID: f966dac2161472eb5d1d209419e812a0b817192dcca597b15d9087055d0dd350
                                                                                                  • Instruction ID: 6ed268299b5a726d4eacbe571cd8e8a1f9131ca88d8f6f0288ab5eeb60e1c692
                                                                                                  • Opcode Fuzzy Hash: f966dac2161472eb5d1d209419e812a0b817192dcca597b15d9087055d0dd350
                                                                                                  • Instruction Fuzzy Hash: 3D03F275B58E4BD1EB50DFA1E8603B923A1AF84F48F804636D90E066A5EF3CE5C9C741
                                                                                                  Function 00007FFD65666BA0 Relevance: 354.9, APIs: 115, Strings: 87, Instructions: 1387registrywindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$Create$CloseQuery$InvalidateNotifyRect$CacheChangeFindFlushMessageOpenSendWindow
                                                                                                  • String ID: AllocConsole$AltTabSettings$ArchiveMenu$Attributes$CONOUT$$CenterMenus$ClassicThemeMitigations$ClockFlyoutOnWinC$DisableAeroSnapQuadrants$DisableImmersiveContextMenu$DisableOfficeHotkeys$DisableWinFHotkey$DoNotRedirectDateAndTimeToSettingsApp$DoNotRedirectNotificationIconsToSettingsApp$DoNotRedirectProgramsAndFeaturesToSettingsApp$DoNotRedirectSystemToSettingsApp$DwmExtendFrameIntoClientArea$EnableSymbolDownload$ExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$FileExplorerCommandUI$FlyoutMenus$HideControlCenterButton$HideExplorerSearchBar$HideIconAndTitleInExplorer$HookStartMenu$IMEStyle$IsUpdatePending$LegacyFileTransferDialog$MMOldTaskbarAl$Memcheck$MicaEffectOnTitlebar$MigratedFromOldSettings$MonitorOverride$NoMenuAccelerator$NoPropertiesInContextMenu$OldTaskbar$OldTaskbarAl$OpenAtLogon$OpenPropertiesAtNextStart$OrbStyle$PinnedItemsActAsQuickLaunch$PropertiesInWinX$RemoveExtraGapAroundPinnedItems$ReplaceNetwork$SOFTWARE\Classes\CLSID\{d93ed569-3b3e-4bff-8355-3c44f6a52bb5}\InProcServer32$SOFTWARE\Microsoft\TabletTip\1.7$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MultitaskingView\AltTabViewHost$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Search$ShrinkExplorerAddressBar$SkinIcons$SkinMenus$SnapAssistSettings$Software\Classes\CLSID\{2cc5ca98-6485-489a-920e-b3e88a6ccce3}\ShellFolder$Software\ExplorerPatcher$Software\ExplorerPatcher\sws$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$SpotlightDesktopMenuMask$SpotlightDisableIcon$SpotlightUpdateSchedule$StartDocked$TaskbarAutohideOnDoubleClick$ToolbarSeparators$TraySettings$UndeadStartCorner$UpdatePolicy$UseClassicDriveGrouping$WeatherContentUpdateMode$WeatherContentsMode$WeatherDevMode$WeatherFixedSize$WeatherIconPack$WeatherLanguage$WeatherLocation$WeatherLocationType$WeatherTemperatureUnit$WeatherTheme$WeatherToLeft$WeatherViewMode$WeatherWindowCornerPreference$WeatherZoomFactor$dwmapi.dll$en-US$uxtheme.dll
                                                                                                  • API String ID: 1717770317-57872525
                                                                                                  • Opcode ID: 55c726c40a494e38a333f58c2c14f683caa3c9481228028a8ad33e5f4c4941bd
                                                                                                  • Instruction ID: c1686c71c75561b64d481d1c9c2cb25b2f14ff1d796f3d5383110217b7166d8f
                                                                                                  • Opcode Fuzzy Hash: 55c726c40a494e38a333f58c2c14f683caa3c9481228028a8ad33e5f4c4941bd
                                                                                                  • Instruction Fuzzy Hash: CDF2FA76B18E5ACAEB209FA4E8607A933B5FB48B48F405135DA4D13B68DF3CD195CB04
                                                                                                  Function 00007FFD65685AC0 Relevance: 159.8, APIs: 52, Strings: 39, Instructions: 591registryfileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 689 7ffd65685ac0-7ffd65685b37 call 7ffd65652890 692 7ffd65685b4b-7ffd65685b5d 689->692 693 7ffd65685b39-7ffd65685b45 call 7ffd65652890 689->693 695 7ffd65685b63-7ffd65685bb2 RegCreateKeyExW 692->695 696 7ffd65685df7-7ffd65685e43 RegCreateKeyExW 692->696 693->692 700 7ffd656860da-7ffd656860dd 695->700 701 7ffd65685bb8-7ffd65685bf7 GetWindowsDirectoryW call 7ffd656a7c0c call 7ffd6568fc70 695->701 697 7ffd65685e49-7ffd65685e8d GetSystemDirectoryW call 7ffd656a7c0c call 7ffd6568fc70 696->697 698 7ffd65686627 696->698 715 7ffd65685e93-7ffd65685ecd RegQueryValueExA 697->715 716 7ffd656860fd-7ffd65686111 RegCloseKey RegDeleteTreeW 697->716 703 7ffd65686629-7ffd65686653 call 7ffd65690ea0 698->703 700->703 713 7ffd65685dcf-7ffd65685dd7 701->713 714 7ffd65685bfd-7ffd65685c35 RegQueryValueExA 701->714 722 7ffd65685ddf-7ffd65685de1 713->722 723 7ffd65685dd9 RegCloseKey 713->723 718 7ffd65685c3b-7ffd65685c50 call 7ffd656aa154 714->718 719 7ffd65685db7-7ffd65685dca call 7ffd656511b0 714->719 720 7ffd65685ed3-7ffd65685ee8 call 7ffd656aa154 715->720 721 7ffd656860e2-7ffd656860fa call 7ffd656511b0 715->721 717 7ffd65686117-7ffd6568611e 716->717 724 7ffd65686132-7ffd6568613c 717->724 725 7ffd65686120-7ffd6568612c call 7ffd65652890 717->725 718->719 739 7ffd65685c56-7ffd65685c91 RegQueryValueExW 718->739 719->713 720->721 741 7ffd65685eee-7ffd65685f29 RegQueryValueExW 720->741 721->716 722->696 730 7ffd65685de3-7ffd65685df1 RegDeleteTreeW 722->730 723->722 733 7ffd656863b4-7ffd656863bc 724->733 734 7ffd65686142-7ffd656861cc RegCreateKeyExW GetWindowsDirectoryW call 7ffd656a7c0c call 7ffd6568fc70 724->734 725->724 730->696 742 7ffd656863c2-7ffd65686447 RegCreateKeyExW GetWindowsDirectoryW call 7ffd656a7c0c FindFirstFileW 733->742 743 7ffd656865bd-7ffd6568660a RegCreateKeyExW 733->743 757 7ffd65686383-7ffd6568638b 734->757 758 7ffd656861d2-7ffd65686211 RegQueryValueExA 734->758 739->719 746 7ffd65685c97-7ffd65685ca4 739->746 741->721 748 7ffd65685f2f-7ffd65685f3c 741->748 755 7ffd65686454-7ffd65686479 GetWindowsDirectoryW call 7ffd656a7c0c 742->755 756 7ffd65686449-7ffd65686452 FindClose 742->756 744 7ffd65686624 743->744 745 7ffd6568660c-7ffd6568661e RegDeleteValueW RegCloseKey 743->745 744->698 745->744 746->719 750 7ffd65685caa-7ffd65685db5 RegQueryValueExW * 6 746->750 748->721 752 7ffd65685f42-7ffd656860d8 RegQueryValueExW * 9 RegCloseKey 748->752 750->713 752->717 759 7ffd6568647e-7ffd65686493 call 7ffd6568fc70 755->759 756->759 762 7ffd65686393-7ffd6568639e 757->762 763 7ffd6568638d RegCloseKey 757->763 764 7ffd6568636d-7ffd65686380 call 7ffd656511b0 758->764 765 7ffd65686217-7ffd6568622c call 7ffd656aa154 758->765 770 7ffd65686499-7ffd656864d8 RegQueryValueExA 759->770 771 7ffd65686595-7ffd6568659d 759->771 762->733 768 7ffd656863a0-7ffd656863ae RegDeleteTreeW 762->768 763->762 764->757 765->764 778 7ffd65686232-7ffd6568626d RegQueryValueExW 765->778 768->733 774 7ffd6568657f-7ffd65686592 call 7ffd656511b0 770->774 775 7ffd656864de-7ffd656864f3 call 7ffd656aa154 770->775 776 7ffd6568659f RegCloseKey 771->776 777 7ffd656865a5-7ffd656865a7 771->777 774->771 775->774 786 7ffd656864f9-7ffd65686534 RegQueryValueExW 775->786 776->777 777->743 779 7ffd656865a9-7ffd656865b7 RegDeleteTreeW 777->779 778->764 780 7ffd65686273-7ffd65686280 778->780 779->743 780->764 783 7ffd65686286-7ffd6568636b RegQueryValueExW * 5 780->783 783->757 786->774 787 7ffd65686536-7ffd65686543 786->787 787->774 788 7ffd65686545-7ffd6568657d RegQueryValueExW 787->788 788->771
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$Query$Close$CreateDirectory$DeleteWindows$Tree$Find$AddressFileFirstHandleModuleOpenProcSystem_invalid_parameter_noinfo
                                                                                                  • String ID: !$CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc$CLauncherTipContextMenu::GetMenuItemsAsync$CLauncherTipContextMenu::ShowLauncherTipContextMenu$CLauncherTipContextMenu::_ExecuteCommand$CLauncherTipContextMenu::_ExecuteShutdownCommand$CMultitaskingViewManager::_CreateDCompMTVHost$CMultitaskingViewManager::_CreateXamlMTVHost$CTaskBand_CreateInstance$HandleFirstTimeLegacy$Hash$ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu$ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu$ImmersiveTray::AttachWindowToTray$ImmersiveTray::RaiseWindow$OSBuild$SetColorPreferenceForLogonUI$Software\ExplorerPatcher$Software\ExplorerPatcher\explorer$Software\ExplorerPatcher\twinui.pcshell$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartUI$StartDocked$StartDocked::LauncherFrame::OnVisibilityChanged$StartDocked::LauncherFrame::ShowAllApps$StartDocked::StartSizingFrame::StartSizingFrame$StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps$StartUI$StartUI::SystemListPolicyProvider::GetMaximumFrequentApps$TrayUI::_UpdatePearlSize$Version$[Symbols] Symbols for "%s" are not available.$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartDocked.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll$\explorer.exe$\twinui.pcshell.dll$explorer$twinui.pcshell
                                                                                                  • API String ID: 3716114926-1751072635
                                                                                                  • Opcode ID: 412fde013c702e0a086e37fe233cfb6a70287127694cd269689f66558ae1ac9f
                                                                                                  • Instruction ID: 55a6dc45de537f95f47d6040d61207d243eb07fe7334374502d10aca26a5e085
                                                                                                  • Opcode Fuzzy Hash: 412fde013c702e0a086e37fe233cfb6a70287127694cd269689f66558ae1ac9f
                                                                                                  • Instruction Fuzzy Hash: 53622672718E86D6EB20CF90F4607AA7764FB94B58F801231D68D47A68DFBCD199CB00
                                                                                                  Function 00007FFD65671640 Relevance: 152.7, APIs: 49, Strings: 38, Instructions: 444libraryloaderregistryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 789 7ffd65671640-7ffd65671681 790 7ffd65671e69-7ffd65671e9d call 7ffd65690ea0 789->790 791 7ffd65671687-7ffd656716d5 call 7ffd65652890 GetModuleFileNameW PathStripPathW call 7ffd656a7df4 789->791 798 7ffd656716df-7ffd656716fb GetCurrentProcessId OpenProcess 791->798 799 7ffd656716d7-7ffd656716d9 791->799 798->790 800 7ffd65671701-7ffd65671764 QueryFullProcessImageNameW CloseHandle GetSystemDirectoryW call 7ffd656a7c0c call 7ffd656a7df4 798->800 799->790 799->798 800->790 805 7ffd6567176a-7ffd65671831 GetWindowsDirectoryW call 7ffd656a7c0c call 7ffd656a7df4 GetWindowsDirectoryW call 7ffd656a7c0c call 7ffd656a7df4 GetWindowsDirectoryW call 7ffd656a7c0c call 7ffd656a7df4 800->805 818 7ffd65671aba-7ffd65671abd 805->818 819 7ffd65671837-7ffd6567183a 805->819 822 7ffd65671ac3-7ffd65671ac6 818->822 823 7ffd65671a38-7ffd65671a42 818->823 820 7ffd6567183c-7ffd6567183f 819->820 821 7ffd65671849-7ffd65671a31 GetSystemDirectoryW call 7ffd656a7c0c LoadLibraryExW GetProcAddress * 19 819->821 820->821 824 7ffd65671841-7ffd65671843 820->824 821->823 822->790 828 7ffd65671acc-7ffd65671acf 822->828 826 7ffd65671ced-7ffd65671cf0 823->826 827 7ffd65671a48-7ffd65671a55 GetSystemMetrics 823->827 824->790 824->821 829 7ffd65671cf2-7ffd65671cfe call 7ffd65670ae0 call 7ffd6565f230 826->829 830 7ffd65671d1e-7ffd65671d21 826->830 832 7ffd65671a5b-7ffd65671aa8 RegGetValueW 827->832 833 7ffd65671e48 827->833 828->790 834 7ffd65671ad5-7ffd65671ad8 828->834 829->833 873 7ffd65671d04-7ffd65671d19 LoadLibraryW call 7ffd6565f170 829->873 837 7ffd65671e3c-7ffd65671e3f 830->837 838 7ffd65671d27-7ffd65671d2f 830->838 839 7ffd65671b0f-7ffd65671b5c RegGetValueW 832->839 840 7ffd65671aaa-7ffd65671aaf 832->840 841 7ffd65671e4d-7ffd65671e5f GetModuleHandleExW 833->841 834->790 835 7ffd65671ade-7ffd65671ae5 834->835 842 7ffd65671e41-7ffd65671e43 call 7ffd6566d980 835->842 837->790 837->842 846 7ffd65671d31-7ffd65671d4b call 7ffd65652890 838->846 847 7ffd65671d4d 838->847 844 7ffd65671b93-7ffd65671baa FindWindowExW 839->844 845 7ffd65671b5e-7ffd65671b63 839->845 848 7ffd65671ab1-7ffd65671ab6 840->848 849 7ffd65671aea-7ffd65671aef 840->849 841->790 842->833 857 7ffd65671cd1 844->857 858 7ffd65671bb0-7ffd65671bc7 FindWindowExW 844->858 852 7ffd65671b6e-7ffd65671b73 845->852 853 7ffd65671b65-7ffd65671b6a 845->853 859 7ffd65671d53-7ffd65671d5e 846->859 847->859 848->839 856 7ffd65671ab8 848->856 849->839 850 7ffd65671af1-7ffd65671afc 849->850 850->839 860 7ffd65671afe 850->860 852->844 863 7ffd65671b75-7ffd65671b80 852->863 853->844 862 7ffd65671b6c 853->862 865 7ffd65671b02-7ffd65671b09 856->865 866 7ffd65671cd6-7ffd65671cde call 7ffd6566d980 857->866 858->857 867 7ffd65671bcd-7ffd65671bdb call 7ffd6566cb20 858->867 868 7ffd65671df4-7ffd65671df6 859->868 869 7ffd65671d64-7ffd65671d66 859->869 860->865 874 7ffd65671b86-7ffd65671b8d 862->874 863->844 875 7ffd65671b82 863->875 865->833 865->839 886 7ffd65671ce3-7ffd65671ce8 866->886 888 7ffd65671be1-7ffd65671bef GetAsyncKeyState 867->888 889 7ffd65671c77-7ffd65671c79 867->889 876 7ffd65671e10-7ffd65671e15 868->876 877 7ffd65671df8-7ffd65671e0a call 7ffd65652890 868->877 871 7ffd65671d82-7ffd65671d87 869->871 872 7ffd65671d68-7ffd65671d7c call 7ffd65652890 869->872 879 7ffd65671e1c-7ffd65671e23 call 7ffd6565f230 871->879 883 7ffd65671d8d 871->883 872->871 873->833 874->833 874->844 875->874 876->879 880 7ffd65671e17 call 7ffd65671280 876->880 877->876 879->833 901 7ffd65671e25-7ffd65671e3a LoadLibraryW call 7ffd6565f170 879->901 880->879 892 7ffd65671d8f-7ffd65671d95 883->892 893 7ffd65671d9b-7ffd65671db6 RegOpenKeyW 883->893 886->841 896 7ffd65671bf1-7ffd65671bff GetAsyncKeyState 888->896 897 7ffd65671c16 888->897 889->866 892->879 892->893 893->879 899 7ffd65671db8-7ffd65671dd3 RegCloseKey LoadLibraryW 893->899 896->897 900 7ffd65671c01-7ffd65671c14 GetAsyncKeyState 896->900 902 7ffd65671c18-7ffd65671c20 897->902 899->879 903 7ffd65671dd5-7ffd65671df2 call 7ffd6565d290 899->903 900->897 900->902 901->833 905 7ffd65671c22-7ffd65671c24 902->905 906 7ffd65671c7b-7ffd65671ccc RegSetKeyValueW SHCreateThread 902->906 903->879 905->906 909 7ffd65671c26-7ffd65671c71 RegSetKeyValueW SHCreateThread 905->909 906->841 909->889
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$DirectoryValue$LibraryLoad$AsyncHandleModuleOpenProcessStateSystemWindows$CloseCreateFindNamePathQueryThreadWindow$CurrentFileFullImageMetricsStrip_invalid_parameter_noinfo
                                                                                                  • String ID: ApplyCompatResolutionQuirking$CompatString$CompatValue$Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$CrashCounter$CreateDXGIFactory$CreateDXGIFactory1$CreateDXGIFactory2$DXGID3D10CreateDevice$DXGID3D10CreateLayeredDevice$DXGID3D10GetLayeredDeviceSize$DXGID3D10RegisterLayers$DXGIDeclareAdapterRemovalSupport$DXGIDumpJournal$DXGIGetDebugInterface1$DXGIReportAdapterConfiguration$GetProductInfo$LaunchCflScenario$LaunchUserOOBE$PIXBeginCapture$PIXEndCapture$PIXGetCaptureState$Progman$Proxy Desktop$SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\CFL\ExperienceManagerData$SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE$SetAppCompatStringPointer$Software\ExplorerPatcher$UpdateHMDEmulationStatus$Windows.UI.QuickActions.dll$Windows.UI.Xaml.dll$\SearchIndexer.exe$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe$\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe$\dxgi.dll$\explorer.exe$api-ms-win-core-sysinfo-l1-2-0.dll$dxgi.dll
                                                                                                  • API String ID: 425412005-3433049922
                                                                                                  • Opcode ID: f7214b213aa9b7ce686bef311924f7d5d21b0d92d4cd4f49cb39c126f453a435
                                                                                                  • Instruction ID: 0ecf55676951bcee1201541b956e3ea1aa417f8e1f9fb26463f620bd06d33bdd
                                                                                                  • Opcode Fuzzy Hash: f7214b213aa9b7ce686bef311924f7d5d21b0d92d4cd4f49cb39c126f453a435
                                                                                                  • Instruction Fuzzy Hash: C532E075B08E4BD6EB149BA1E8743B923A5FF84B48F800136D94E466A4EF7CE5C9C740
                                                                                                  Function 00007FFD6566BFE0 Relevance: 75.5, APIs: 17, Strings: 26, Instructions: 277libraryloaderregistryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 911 7ffd6566bfe0-7ffd6566c014 LoadLibraryW 912 7ffd6566c02d-7ffd6566c04f LoadLibraryW 911->912 913 7ffd6566c016-7ffd6566c026 GetProcAddress 911->913 914 7ffd6566c187-7ffd6566c197 LoadLibraryW 912->914 915 7ffd6566c055-7ffd6566c060 912->915 913->912 916 7ffd6566c1ae-7ffd6566c1c1 LoadLibraryExW 914->916 917 7ffd6566c199-7ffd6566c1a7 GetProcAddress 914->917 918 7ffd6566c062-7ffd6566c06c 915->918 919 7ffd6566c06e 915->919 920 7ffd6566c3af-7ffd6566c3ca LoadLibraryExW 916->920 921 7ffd6566c1c7-7ffd6566c1e7 call 7ffd6565d290 916->921 917->916 922 7ffd6566c073 918->922 919->922 924 7ffd6566c460-7ffd6566c4bf RegGetValueW call 7ffd6565d920 920->924 925 7ffd6566c3d0-7ffd6566c401 call 7ffd6565d460 * 2 920->925 934 7ffd6566c24f-7ffd6566c28a call 7ffd6565d290 * 2 921->934 935 7ffd6566c1e9-7ffd6566c228 GetCurrentProcess K32GetModuleInformation call 7ffd6565d890 921->935 926 7ffd6566c079 922->926 927 7ffd6566c075-7ffd6566c077 922->927 937 7ffd6566c4c1 924->937 938 7ffd6566c4c7-7ffd6566c4ce 924->938 948 7ffd6566c406-7ffd6566c408 925->948 928 7ffd6566c07e-7ffd6566c0a8 call 7ffd6565d290 926->928 927->928 945 7ffd6566c110-7ffd6566c128 call 7ffd6565d290 928->945 946 7ffd6566c0aa-7ffd6566c0f1 GetCurrentProcess K32GetModuleInformation call 7ffd6565d890 928->946 966 7ffd6566c2e2-7ffd6566c340 call 7ffd6565d290 * 2 GetCurrentProcess K32GetModuleInformation 934->966 967 7ffd6566c28c-7ffd6566c2dd call 7ffd6565d290 * 2 934->967 947 7ffd6566c22d-7ffd6566c230 935->947 937->938 943 7ffd6566c4d4-7ffd6566c500 GetModuleHandleW GetProcAddress 938->943 944 7ffd6566c565-7ffd6566c57c call 7ffd65690ea0 938->944 951 7ffd6566c522-7ffd6566c529 call 7ffd656511b0 943->951 952 7ffd6566c502-7ffd6566c520 call 7ffd65692550 943->952 963 7ffd6566c12d-7ffd6566c12f 945->963 946->945 969 7ffd6566c0f3-7ffd6566c10b call 7ffd65692550 946->969 947->934 954 7ffd6566c232-7ffd6566c24a call 7ffd65692550 947->954 948->924 956 7ffd6566c40a-7ffd6566c45b call 7ffd6565d290 * 2 948->956 970 7ffd6566c52e-7ffd6566c530 951->970 952->951 952->970 954->934 956->924 963->914 971 7ffd6566c131-7ffd6566c182 call 7ffd6565d290 * 2 963->971 989 7ffd6566c392-7ffd6566c3aa call 7ffd6565d290 966->989 990 7ffd6566c342-7ffd6566c351 966->990 967->966 969->945 970->944 976 7ffd6566c532-7ffd6566c539 call 7ffd6565f230 970->976 971->914 976->944 988 7ffd6566c53b-7ffd6566c560 LoadLibraryW call 7ffd6565d290 976->988 988->944 989->920 993 7ffd6566c353-7ffd6566c35d 990->993 994 7ffd6566c35f-7ffd6566c366 990->994 993->994 995 7ffd6566c388-7ffd6566c38d call 7ffd6566b9f0 993->995 996 7ffd6566c380-7ffd6566c386 994->996 997 7ffd6566c368-7ffd6566c37a call 7ffd65652890 994->997 995->989 996->989 996->995 997->996
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Library$Load$Module$AddressCurrentFreeInformationProcProcessVirtual$HandleProtect$DataDirectoryEntryImageQueryValue
                                                                                                  • String ID: API-MS-WIN-CORE-STRING-L1-1-0.DLL$CoCreateInstance$CompareStringOrdinal$CreateWindowExW$ExplorerFrame.dll$Failed to hook RtlQueryFeatureConfiguration(). rv = %d$GetSystemMetricsForDpi$LoadLibraryExW$RtlQueryFeatureConfiguration$SHRegGetValueFromHKCUHKLM$SetWindowLongPtrW$Shlwapi.dll$Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced$Start_ShowClassicMode$SystemParametersInfoW$TrackPopupMenu$Windows.UI.FileExplorer.dll$api-ms-win-core-com-l1-1-0.dll$api-ms-win-core-libraryloader-l1-2-0.dll$combase.dll$ntdll.dll$shcore.dll$shcore.dll$shell32.dll$user32.dll$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                                                                                                  • API String ID: 404060323-2645642614
                                                                                                  • Opcode ID: 9ffdb2377e7a2418f43bd02c71607476b66d4ca44b31f3885eb055b5a4fd8a7b
                                                                                                  • Instruction ID: b4a57ad51d25912e35f646a5c1f78aefb4f4527c9674386fe902a7cfc4a7ae37
                                                                                                  • Opcode Fuzzy Hash: 9ffdb2377e7a2418f43bd02c71607476b66d4ca44b31f3885eb055b5a4fd8a7b
                                                                                                  • Instruction Fuzzy Hash: ACF1DF64B49E4FD1FB10AF95E8603E523A1AF45F84F844132D90E462A5EF7CE6C9C381
                                                                                                  Function 00007FFD656853F0 Relevance: 58.1, APIs: 18, Strings: 15, Instructions: 354registrylibraryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1153 7ffd656853f0-7ffd65685443 call 7ffd656b9f30 SleepEx call 7ffd656511b0 1157 7ffd65685448-7ffd6568559e call 7ffd65674e90 call 7ffd656ba7e0 SHGetFolderPathW call 7ffd656a7c0c LoadLibraryExW call 7ffd65652890 call 7ffd656538f0 RegCreateKeyExW RegQueryValueExW 1153->1157 1168 7ffd656855a0-7ffd656855a7 1157->1168 1169 7ffd656855a9-7ffd656855b0 1168->1169 1170 7ffd656855b7-7ffd656855ba 1168->1170 1169->1168 1171 7ffd656855b2-7ffd656855b5 1169->1171 1172 7ffd656855be-7ffd656855d4 1170->1172 1171->1172 1173 7ffd656856e4-7ffd656857ad RegCloseKey call 7ffd65651150 call 7ffd656ba7e0 SHGetFolderPathA call 7ffd656aa224 CreateDirectoryA call 7ffd656aa224 call 7ffd656511b0 1172->1173 1174 7ffd656855da-7ffd656855f7 LoadStringW 1172->1174 1198 7ffd656857af-7ffd656857b5 1173->1198 1199 7ffd656857ed-7ffd656857f3 1173->1199 1176 7ffd656855f9-7ffd65685613 call 7ffd656538f0 1174->1176 1177 7ffd65685618-7ffd6568567e LoadStringW call 7ffd656538f0 1174->1177 1176->1177 1184 7ffd65685680-7ffd65685688 1177->1184 1184->1184 1186 7ffd6568568a-7ffd656856af call 7ffd656842b0 call 7ffd656840f0 1184->1186 1195 7ffd656856b0-7ffd656856b8 1186->1195 1195->1195 1197 7ffd656856ba-7ffd656856de RegSetValueExW 1195->1197 1197->1173 1202 7ffd656857c9-7ffd656857d3 1198->1202 1203 7ffd656857b7-7ffd656857c3 call 7ffd65652890 1198->1203 1200 7ffd65685809-7ffd6568580f 1199->1200 1201 7ffd656857f5-7ffd65685807 call 7ffd656847d0 1199->1201 1207 7ffd65685811-7ffd65685818 1200->1207 1208 7ffd6568584c-7ffd65685852 1200->1208 1201->1200 1202->1199 1205 7ffd656857d5-7ffd656857ea call 7ffd65684420 1202->1205 1203->1202 1205->1199 1214 7ffd6568582c-7ffd65685836 1207->1214 1215 7ffd6568581a-7ffd65685826 call 7ffd65652890 1207->1215 1211 7ffd65685854-7ffd6568585b 1208->1211 1212 7ffd65685871-7ffd6568589f call 7ffd656511b0 1208->1212 1211->1212 1218 7ffd6568585d-7ffd6568586f call 7ffd65685070 1211->1218 1227 7ffd656858a1-7ffd656858ae LoadStringW 1212->1227 1228 7ffd65685910-7ffd65685912 1212->1228 1214->1208 1216 7ffd65685838-7ffd6568584a call 7ffd65684ce0 1214->1216 1215->1214 1216->1208 1218->1212 1231 7ffd656858b0-7ffd656858ca call 7ffd656538f0 1227->1231 1232 7ffd656858cf-7ffd6568590e LoadStringW 1227->1232 1229 7ffd656859a9-7ffd656859b6 LoadStringW 1228->1229 1230 7ffd65685918-7ffd65685925 LoadStringW 1228->1230 1235 7ffd656859b8-7ffd656859d2 call 7ffd656538f0 1229->1235 1236 7ffd656859d7-7ffd65685a38 LoadStringW call 7ffd656538f0 1229->1236 1233 7ffd65685927-7ffd65685941 call 7ffd656538f0 1230->1233 1234 7ffd65685946-7ffd65685980 LoadStringW 1230->1234 1231->1232 1238 7ffd65685985-7ffd656859a4 call 7ffd656538f0 1232->1238 1233->1234 1234->1238 1235->1236 1245 7ffd65685a3a-7ffd65685a3f 1236->1245 1246 7ffd65685a6e-7ffd65685ab4 FreeLibrary call 7ffd656511b0 call 7ffd65690ea0 1236->1246 1238->1245 1248 7ffd65685a46-7ffd65685a4e 1245->1248 1248->1248 1250 7ffd65685a50-7ffd65685a69 call 7ffd656842b0 call 7ffd656840f0 1248->1250 1250->1246
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Load$String$Value$CreateQuery$CloseFolderInfoLibraryLocalePath$AddressDirectoryFreeHandleLanguagesModuleOpenPreferredProcSleepThread_invalid_parameter_noinfo
                                                                                                  • String ID: %d.%d.%d.%d$<toast scenario="reminder" activationType="protocol" launch="%s" duration="%s"><visual><binding template="ToastGeneric">$@$Software\ExplorerPatcher$SymbolsLastNotifiedOSBuild$[Symbols] Attempting to download symbols for OS version %s.$[Symbols] Downloading to "%s".$[Symbols] Finished "Download symbols" thread.$[Symbols] Finished gathering symbol data.$[Symbols] Started "Download symbols" thread.$\ExplorerPatcher$\ExplorerPatcher\ep_gui.dll$https://github.com/valinet/ExplorerPatcher/wiki/Symbols$long$short
                                                                                                  • API String ID: 3080592855-3895060210
                                                                                                  • Opcode ID: b7bc02cd05561e9a69f72141270c9ff48f8b812540baf4c52e4dacd06bddb68a
                                                                                                  • Instruction ID: 022c7d20e0f00399f57801d9a596186ee396bb5f680bb48f0c4089bcd37c1ffd
                                                                                                  • Opcode Fuzzy Hash: b7bc02cd05561e9a69f72141270c9ff48f8b812540baf4c52e4dacd06bddb68a
                                                                                                  • Instruction Fuzzy Hash: B7026536B18F8AD5EB60DFA0D8603EA2365FB54B48F805132D94D47A99EF3CD689C740
                                                                                                  Function 00007FFD6568F040 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 315registrysleepCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1359 7ffd6568f040-7ffd6568f087 RoInitialize 1360 7ffd6568f19c-7ffd6568f1b3 FindWindowExW 1359->1360 1361 7ffd6568f08d-7ffd6568f0ad WindowsCreateStringReference 1359->1361 1364 7ffd6568f1b5-7ffd6568f1d7 SleepEx FindWindowExW 1360->1364 1365 7ffd6568f1d9-7ffd6568f1f4 Sleep call 7ffd656511b0 1360->1365 1362 7ffd6568f4ef-7ffd6568f4f6 call 7ffd6567be30 1361->1362 1363 7ffd6568f0b3-7ffd6568f0d0 RoGetActivationFactory 1361->1363 1370 7ffd6568f4f7-7ffd6568f4fe call 7ffd6567be30 1362->1370 1363->1360 1367 7ffd6568f0d6-7ffd6568f0fa WindowsCreateStringReference 1363->1367 1364->1364 1364->1365 1376 7ffd6568f1f6-7ffd6568f221 WindowsCreateStringReference 1365->1376 1377 7ffd6568f23a-7ffd6568f240 1365->1377 1367->1370 1371 7ffd6568f100-7ffd6568f11e RoGetActivationFactory 1367->1371 1388 7ffd6568f4ff-7ffd6568f506 call 7ffd6567be30 1370->1388 1374 7ffd6568f188-7ffd6568f18f 1371->1374 1375 7ffd6568f120-7ffd6568f134 1371->1375 1374->1360 1380 7ffd6568f191-7ffd6568f19b 1374->1380 1398 7ffd6568f136-7ffd6568f161 WindowsCreateStringReference 1375->1398 1399 7ffd6568f174-7ffd6568f17b 1375->1399 1382 7ffd6568f507-7ffd6568f514 call 7ffd6567be30 1376->1382 1383 7ffd6568f227-7ffd6568f236 1376->1383 1378 7ffd6568f281-7ffd6568f2ce CreateEventW * 3 1377->1378 1379 7ffd6568f242-7ffd6568f262 WindowsCreateStringReference 1377->1379 1386 7ffd6568f480-7ffd6568f487 1378->1386 1387 7ffd6568f2d4-7ffd6568f2d9 1378->1387 1384 7ffd6568f4e7-7ffd6568f4ee call 7ffd6567be30 1379->1384 1385 7ffd6568f268-7ffd6568f27d RoGetActivationFactory 1379->1385 1380->1360 1408 7ffd6568f516-7ffd6568f51a SwitchToThread 1382->1408 1409 7ffd6568f521 1382->1409 1383->1377 1384->1362 1385->1378 1393 7ffd6568f489-7ffd6568f493 1386->1393 1394 7ffd6568f494-7ffd6568f49b 1386->1394 1387->1386 1395 7ffd6568f2df-7ffd6568f2e2 1387->1395 1388->1382 1393->1394 1403 7ffd6568f4a8-7ffd6568f4af 1394->1403 1404 7ffd6568f49d-7ffd6568f4a7 1394->1404 1395->1386 1405 7ffd6568f2e8-7ffd6568f30a call 7ffd65691160 1395->1405 1398->1388 1407 7ffd6568f167-7ffd6568f16b 1398->1407 1399->1374 1402 7ffd6568f17d-7ffd6568f187 1399->1402 1402->1374 1412 7ffd6568f4bc-7ffd6568f4e6 call 7ffd65690ea0 1403->1412 1413 7ffd6568f4b1-7ffd6568f4bb 1403->1413 1404->1403 1419 7ffd6568f30c-7ffd6568f331 1405->1419 1420 7ffd6568f35d-7ffd6568f364 1405->1420 1418 7ffd6568f170 1407->1418 1408->1409 1413->1412 1418->1399 1425 7ffd6568f33a-7ffd6568f35a 1419->1425 1426 7ffd6568f333-7ffd6568f339 1419->1426 1423 7ffd6568f406-7ffd6568f40f 1420->1423 1424 7ffd6568f36a-7ffd6568f3c3 call 7ffd6568e310 RegCreateKeyExW 1420->1424 1428 7ffd6568f430-7ffd6568f44a WaitForMultipleObjects 1423->1428 1429 7ffd6568f411 1423->1429 1435 7ffd6568f3c5-7ffd6568f400 RegSetValueExW RegCloseKey 1424->1435 1436 7ffd6568f402 1424->1436 1425->1420 1426->1425 1432 7ffd6568f44c-7ffd6568f44f 1428->1432 1433 7ffd6568f472-7ffd6568f47e 1428->1433 1431 7ffd6568f414-7ffd6568f42e call 7ffd6568e620 1429->1431 1431->1428 1438 7ffd6568f451-7ffd6568f454 1432->1438 1439 7ffd6568f464-7ffd6568f470 1432->1439 1433->1431 1435->1423 1436->1423 1438->1428 1441 7ffd6568f456-7ffd6568f462 1438->1441 1439->1431 1441->1431
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Create$ReferenceStringWindows$ActivationEventFactory$FindSleepWindow$CloseInitializeMultipleObjectsValueWait
                                                                                                  • String ID: EP_Ev_CheckForUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$EP_Ev_InstallUpdatesNoConfirm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$EP_Ev_InstallUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$IsUpdatePending$Microsoft.Windows.Explorer$Shell_TrayWnd$Software\ExplorerPatcher$Windows.UI.Notifications.ToastNotification$Windows.UI.Notifications.ToastNotificationManager$[Updates] Starting daemon.$ep_updates
                                                                                                  • API String ID: 515347756-3464217809
                                                                                                  • Opcode ID: 71dd782de2b3c3f84313dd3887abf7a5c32c28c1e968113a04e02553a65a6502
                                                                                                  • Instruction ID: 69d86a6ba96d75d40d9281f60ed8799cec832522bb336b27c4b85a808e1ac346
                                                                                                  • Opcode Fuzzy Hash: 71dd782de2b3c3f84313dd3887abf7a5c32c28c1e968113a04e02553a65a6502
                                                                                                  • Instruction Fuzzy Hash: 13E12336B18E4ADAEB14DFA0E8607A973A1EB48F48F404536DA0D57BA4DF3CE595C310
                                                                                                  Function 00007FFD65668690 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 190registrywindowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1563 7ffd65668690-7ffd656686c9 1564 7ffd656686d4-7ffd65668719 RegCreateKeyExW 1563->1564 1565 7ffd656686cb-7ffd656686ce 1563->1565 1567 7ffd65668801 1564->1567 1568 7ffd6566871f-7ffd65668754 RegQueryValueExW 1564->1568 1565->1564 1566 7ffd6566880a-7ffd6566880d 1565->1566 1570 7ffd65668813-7ffd65668858 RegCreateKeyExW 1566->1570 1571 7ffd656688b4-7ffd656688ed SendNotifyMessageW FindWindowExW 1566->1571 1569 7ffd65668805-7ffd65668808 1567->1569 1572 7ffd65668761-7ffd6566879d RegQueryValueExW 1568->1572 1573 7ffd65668756-7ffd6566875c call 7ffd65668590 1568->1573 1569->1566 1569->1570 1574 7ffd6566885a-7ffd65668892 RegQueryValueExW 1570->1574 1575 7ffd656688a7 1570->1575 1577 7ffd656688ef-7ffd65668907 FindWindowExW 1571->1577 1578 7ffd65668960-7ffd6566897b FindWindowExW 1571->1578 1579 7ffd6566879f-7ffd656687a5 1572->1579 1580 7ffd656687ab-7ffd656687e7 RegQueryValueExW 1572->1580 1573->1572 1583 7ffd65668894-7ffd656688a5 call 7ffd65668590 1574->1583 1584 7ffd656688ab-7ffd656688ae 1574->1584 1575->1584 1577->1578 1585 7ffd65668909 1577->1585 1581 7ffd6566897d-7ffd65668984 1578->1581 1582 7ffd65668986-7ffd65668991 1578->1582 1579->1580 1586 7ffd656687e9-7ffd656687ef 1580->1586 1587 7ffd656687f5-7ffd656687ff RegCloseKey 1580->1587 1588 7ffd65668910-7ffd65668924 FindWindowExW 1581->1588 1589 7ffd65668993 call 7ffd6565e230 1582->1589 1590 7ffd65668998-7ffd656689b9 call 7ffd65690ea0 1582->1590 1583->1584 1584->1571 1584->1590 1585->1588 1586->1587 1587->1569 1588->1578 1595 7ffd65668926-7ffd65668937 GetWindowLongPtrW 1588->1595 1589->1590 1595->1578 1597 7ffd65668939-7ffd6566895a InvalidateRect 1595->1597 1597->1578
                                                                                                  APIs
                                                                                                  • RegCreateKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD65668441), ref: 00007FFD65668707
                                                                                                  • RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD65668441), ref: 00007FFD65668745
                                                                                                  • RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD65668441), ref: 00007FFD6566878E
                                                                                                  • RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD65668441), ref: 00007FFD656687D8
                                                                                                  • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD65668441), ref: 00007FFD656687F9
                                                                                                  • RegCreateKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD65668441), ref: 00007FFD65668846
                                                                                                  • RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD65668441), ref: 00007FFD65668883
                                                                                                  • SendNotifyMessageW.USER32 ref: 00007FFD656688D0
                                                                                                  • FindWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD65668441), ref: 00007FFD656688E4
                                                                                                  • FindWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD65668441), ref: 00007FFD656688FE
                                                                                                  • FindWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD65668441), ref: 00007FFD65668918
                                                                                                  • GetWindowLongPtrW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD65668441), ref: 00007FFD6566892B
                                                                                                  • InvalidateRect.USER32 ref: 00007FFD65668954
                                                                                                  • FindWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD65668441), ref: 00007FFD6566896F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$FindQueryValue$Create$CloseInvalidateLongMessageNotifyRectSend
                                                                                                  • String ID: ClockButton$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Search$SearchboxTaskbarMode$Shell_SecondaryTrayWnd$Shell_TrayWnd$ShowTaskViewButton$TaskbarDa$TaskbarSmallIcons$TrayClockWClass$TrayNotifyWnd$TraySettings
                                                                                                  • API String ID: 3959271719-3714636963
                                                                                                  • Opcode ID: c3af02eb9a0f9d0028d15f10a385c4bd2d7ad293acaf007663b4e5da45b8078f
                                                                                                  • Instruction ID: 4e0c22c33949db5bcc2b6642dff86ea339c5cf98d18382f91d88b378dd2cfec7
                                                                                                  • Opcode Fuzzy Hash: c3af02eb9a0f9d0028d15f10a385c4bd2d7ad293acaf007663b4e5da45b8078f
                                                                                                  • Instruction Fuzzy Hash: 2E915676B08E4ACAEB60CFA4E4607A977B0BB49B58F444635CA4D13AA4DF3CE584C741
                                                                                                  Function 00007FFD6568FC70 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 172encryptionfileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1599 7ffd6568fc70-7ffd6568fcf8 CreateFileW 1600 7ffd6568fd05-7ffd6568fd20 GetFileSizeEx 1599->1600 1601 7ffd6568fcfa-7ffd6568fd00 GetLastError 1599->1601 1603 7ffd6568fd3a-7ffd6568fd4f call 7ffd656a7c98 1600->1603 1604 7ffd6568fd22-7ffd6568fd35 GetLastError CloseHandle 1600->1604 1602 7ffd6568fe6a-7ffd6568fe83 call 7ffd65690ea0 1601->1602 1610 7ffd6568fd51-7ffd6568fd5f CloseHandle 1603->1610 1611 7ffd6568fd64-7ffd6568fd83 CryptAcquireContextW 1603->1611 1605 7ffd6568fe62 1604->1605 1605->1602 1612 7ffd6568fe5a 1610->1612 1613 7ffd6568fd85-7ffd6568fd8d GetLastError 1611->1613 1614 7ffd6568fd92-7ffd6568fdb2 CryptCreateHash 1611->1614 1612->1605 1615 7ffd6568fe4f-7ffd6568fe52 CloseHandle 1613->1615 1616 7ffd6568fdd6-7ffd6568fdf1 ReadFile 1614->1616 1617 7ffd6568fdb4-7ffd6568fdd1 GetLastError CloseHandle CryptReleaseContext 1614->1617 1618 7ffd6568fe58 1615->1618 1619 7ffd6568fe31-7ffd6568fe49 GetLastError CryptReleaseContext CryptDestroyHash 1616->1619 1620 7ffd6568fdf3-7ffd6568fdfe 1616->1620 1617->1618 1618->1612 1619->1615 1621 7ffd6568fe84-7ffd6568fea5 CryptGetHashParam 1620->1621 1622 7ffd6568fe04-7ffd6568fe12 CryptHashData 1620->1622 1624 7ffd6568fea7-7ffd6568fead 1621->1624 1625 7ffd6568feef-7ffd6568fef5 GetLastError 1621->1625 1622->1619 1623 7ffd6568fe14-7ffd6568fe2f ReadFile 1622->1623 1623->1619 1623->1620 1626 7ffd6568fef8-7ffd6568ff1a CryptDestroyHash CryptReleaseContext CloseHandle call 7ffd656a7c84 1624->1626 1627 7ffd6568feaf 1624->1627 1625->1626 1631 7ffd6568ff1f-7ffd6568ff22 1626->1631 1629 7ffd6568feb0-7ffd6568feeb call 7ffd6565c640 1627->1629 1633 7ffd6568feed 1629->1633 1631->1612 1633->1626
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CryptErrorLast$CloseFileHandleHash$ContextCreateDestroyParamReleaseSize
                                                                                                  • String ID: %c%c
                                                                                                  • API String ID: 1362656601-3228636524
                                                                                                  • Opcode ID: fa4dfc019011472dd1d35effd25235bccfc63980376a3b457180014528bbe418
                                                                                                  • Instruction ID: f2087786dcf07027c0a7034bd0167439e15c51b76f47ad8f06b48f1ccde4d793
                                                                                                  • Opcode Fuzzy Hash: fa4dfc019011472dd1d35effd25235bccfc63980376a3b457180014528bbe418
                                                                                                  • Instruction Fuzzy Hash: FB716C22B08E8AD6EB248FB1E8647BD63A0FB49F98F405135DE4D1AA58DF3CD195C710
                                                                                                  Function 00007FFD6565E500 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 122windowregistrytimeCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • EP_Service_Window_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}, xrefs: 00007FFD6565E55D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$Register$CriticalHandleModuleSectionWindow$ClassCloseCreateCursorDestroyDispatchEnterEventInvalidateLeaveLoadObjectOpenRectStockTimerTranslate
                                                                                                  • String ID: EP_Service_Window_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
                                                                                                  • API String ID: 124686274-1881722731
                                                                                                  • Opcode ID: a1be8459bcfd7c7e29579554fa6886f80e0ea524c161cc7a1dc958779796ac26
                                                                                                  • Instruction ID: 23b7051e076c35748e372086acba8224ab39a464deaee4a55372417f146dc6af
                                                                                                  • Opcode Fuzzy Hash: a1be8459bcfd7c7e29579554fa6886f80e0ea524c161cc7a1dc958779796ac26
                                                                                                  • Instruction Fuzzy Hash: 8551F735B08E4AC1EB249FA5F86476A73A5FF94F94F500035CA4E46AA4DF3DE495CB00
                                                                                                  Function 00007FFD6565E860 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 173synchronizationCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1792 7ffd6565e860-7ffd6565e8ba GetCurrentProcess OpenProcessToken 1793 7ffd6565e8c0-7ffd6565e8e0 GetTokenInformation 1792->1793 1794 7ffd6565e977-7ffd6565e99f DeriveAppContainerSidFromAppContainerName 1792->1794 1793->1794 1797 7ffd6565e8e6-7ffd6565e8ef GetLastError 1793->1797 1795 7ffd6565ea75-7ffd6565ea78 1794->1795 1796 7ffd6565e9a5-7ffd6565e9ac 1794->1796 1800 7ffd6565ea83-7ffd6565ea86 1795->1800 1801 7ffd6565ea7a-7ffd6565ea7d LocalFree 1795->1801 1796->1795 1798 7ffd6565e9b2-7ffd6565ea21 SetEntriesInAclW 1796->1798 1797->1794 1799 7ffd6565e8f5-7ffd6565e908 call 7ffd656a7ca0 1797->1799 1804 7ffd6565ea71 1798->1804 1805 7ffd6565ea23-7ffd6565ea38 call 7ffd656a7ca0 1798->1805 1799->1794 1817 7ffd6565e90a-7ffd6565e92b GetTokenInformation 1799->1817 1802 7ffd6565ea90-7ffd6565ea93 1800->1802 1803 7ffd6565ea88-7ffd6565ea8b call 7ffd656a7c84 1800->1803 1801->1800 1808 7ffd6565ead1-7ffd6565ead4 1802->1808 1809 7ffd6565ea95-7ffd6565eabb CreateMutexExW 1802->1809 1803->1802 1804->1795 1805->1804 1820 7ffd6565ea3a-7ffd6565ea4a InitializeSecurityDescriptor 1805->1820 1815 7ffd6565eade-7ffd6565eae5 1808->1815 1816 7ffd6565ead6-7ffd6565ead9 call 7ffd656a7c84 1808->1816 1812 7ffd6565eabd-7ffd6565eac4 call 7ffd656511b0 1809->1812 1813 7ffd6565eac9-7ffd6565eacc call 7ffd656a7c84 1809->1813 1812->1813 1813->1808 1824 7ffd6565eaed-7ffd6565eb15 call 7ffd65690ea0 1815->1824 1825 7ffd6565eae7 FreeSid 1815->1825 1816->1815 1822 7ffd6565e92d-7ffd6565e930 1817->1822 1823 7ffd6565e96f-7ffd6565e972 call 7ffd656a7c84 1817->1823 1820->1804 1827 7ffd6565ea4c-7ffd6565ea63 SetSecurityDescriptorDacl 1820->1827 1822->1823 1828 7ffd6565e932-7ffd6565e951 GetLengthSid call 7ffd656a7ca0 1822->1828 1823->1794 1825->1824 1827->1804 1830 7ffd6565ea65-7ffd6565ea6e 1827->1830 1828->1823 1834 7ffd6565e953-7ffd6565e965 CopySid 1828->1834 1830->1804 1834->1823 1835 7ffd6565e967-7ffd6565e96a call 7ffd656a7c84 1834->1835 1835->1823
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy, xrefs: 00007FFD6565E97F
                                                                                                  • [SMA] Advertising successful animations patching., xrefs: 00007FFD6565EABD
                                                                                                  • EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}, xrefs: 00007FFD6565EA95
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Token$ContainerDescriptorFreeInformationProcessSecurity$CopyCreateCurrentDaclDeriveEntriesErrorFromInitializeLastLengthLocalMutexNameOpen
                                                                                                  • String ID: EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}$Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy$[SMA] Advertising successful animations patching.
                                                                                                  • API String ID: 2912553727-3824306247
                                                                                                  • Opcode ID: 77db84de59c62dfd770b2048574863a4296daba2a7a34100df496ef98e8fba53
                                                                                                  • Instruction ID: cc8c334aa60ff21e4f0309e46be50fdc814ed7e490634e11596bd4ef81a73eeb
                                                                                                  • Opcode Fuzzy Hash: 77db84de59c62dfd770b2048574863a4296daba2a7a34100df496ef98e8fba53
                                                                                                  • Instruction Fuzzy Hash: FC712A32B48A46CAFF509FA1D4203B933B2BB44B98F054535DE4E1BA99DE3CE995C340
                                                                                                  Function 00007FFD6567A120 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 78windowsynchronizationthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$Window$CreateDispatchEventHookObjectProcessShellSingleSleepThreadTranslateWaitWindows
                                                                                                  • String ID: Ended "Open Start on current monitor" thread.$Failed to start "Open Start on current monitor" thread.$Progman hook: %d$Progman: %d$ShellDesktopSwitchEvent$Started "Open Start on current monitor" thread.
                                                                                                  • API String ID: 2718461970-1416847937
                                                                                                  • Opcode ID: 90c938bcfe6ddd29e0c9442af5c55c2c7d718c590cd870c2b4843c8362eab85f
                                                                                                  • Instruction ID: 35e3fab112e0eb5058d08be256e3813fbe73dbc2c080309f38fe83363b116739
                                                                                                  • Opcode Fuzzy Hash: 90c938bcfe6ddd29e0c9442af5c55c2c7d718c590cd870c2b4843c8362eab85f
                                                                                                  • Instruction Fuzzy Hash: 14314B21F18D4AC2FB20ABA1E83177A6371BF98F44F845235D94E46664EE2CE595C700
                                                                                                  Function 00007FFD656935A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 92memorywindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$FormatMessageProtectVirtual
                                                                                                  • String ID: unprotect memory %p (size=%llu) <- %p (size=%llu)$Failed to unprotect memory %p (size=%llu) <- %p (size=%llu, error=%lu(%s))$Unknown Error
                                                                                                  • API String ID: 2888148163-2742179861
                                                                                                  • Opcode ID: 76f81bbd27526eec4d54eb52136fd5565e358d5aa963c2d15698727e3856a4dd
                                                                                                  • Instruction ID: 2ff24a687723de4fc6452f2ad5cc41a518e127a3ed53934015c1f5b7264a7e80
                                                                                                  • Opcode Fuzzy Hash: 76f81bbd27526eec4d54eb52136fd5565e358d5aa963c2d15698727e3856a4dd
                                                                                                  • Instruction Fuzzy Hash: A1414B32B18E8AC5EB608F91E8603B967A0FB59F88F044136EA8D57759DF3CD495C700
                                                                                                  Function 00007FFD6565D920 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • \SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll, xrefs: 00007FFD6565D973
                                                                                                  • \SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll, xrefs: 00007FFD6565D9DE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Find$DirectoryFileFirstWindows$AddressCloseHandleModuleOpenProcQueryValue_invalid_parameter_noinfo
                                                                                                  • String ID: \SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll
                                                                                                  • API String ID: 658624814-2596525942
                                                                                                  • Opcode ID: 83d2bc5265cd564426ecaa33edb809e73b5fea43d63d5d8a03987a1c32f5fdb0
                                                                                                  • Instruction ID: 20ff701cb280640fc4fe1f560bdfb140a118002eef3be112959f422c469e698d
                                                                                                  • Opcode Fuzzy Hash: 83d2bc5265cd564426ecaa33edb809e73b5fea43d63d5d8a03987a1c32f5fdb0
                                                                                                  • Instruction Fuzzy Hash: F421E071F18D4AC1EB60AB64E8653EA2361FB95B28F801232C16E465E4DF7CD58DC740
                                                                                                  Function 00007FFD6565D7C0 Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocateCheckErrorFreeInitializeLastMembershipToken
                                                                                                  • String ID:
                                                                                                  • API String ID: 3835361876-0
                                                                                                  • Opcode ID: 9bc4818ac291dff88db8240e3eeb39b943aa672b01a7781d9cca6c2466c65656
                                                                                                  • Instruction ID: 96a54cfeaa8344e833f0c50fe6a38dc563b27f78b0109efece7a6aa1205078b2
                                                                                                  • Opcode Fuzzy Hash: 9bc4818ac291dff88db8240e3eeb39b943aa672b01a7781d9cca6c2466c65656
                                                                                                  • Instruction Fuzzy Hash: 8411E472B08B4586EB508F6AF49031AF6E8FFD4B84F50402AE68987A69DF7CD445CF40
                                                                                                  Function 00007FFD6566A6C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135comCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateInstance$AddressHandleModuleOpenProcQueryValue
                                                                                                  • String ID: Taskbar10.cpp
                                                                                                  • API String ID: 1469795854-890630466
                                                                                                  • Opcode ID: 60967b9696fd8883450f0bcb51fd51fa93ffb76d10351a79bb68758c02aca6cd
                                                                                                  • Instruction ID: 44d6920417c33a47d3f3f5cf010bca59ad6e090bd4b970524ddd0ca7fe16d150
                                                                                                  • Opcode Fuzzy Hash: 60967b9696fd8883450f0bcb51fd51fa93ffb76d10351a79bb68758c02aca6cd
                                                                                                  • Instruction Fuzzy Hash: 0C512535B48F5AC1EB909B95E8A437923A1BB54F84F005536DA4E037A0CF7CE8C9C742
                                                                                                  Function 00007FFD65692D90 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00007FFD65691E89), ref: 00007FFD65692DA5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InfoSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 31276548-0
                                                                                                  • Opcode ID: e4d82352877221a0b517692e33a5f3ddb88e79afc553e17f30fd7a49fed66e58
                                                                                                  • Instruction ID: 15bf90e6add16253a226234dbdfe1124d695773b7141d09e6589821092231b4c
                                                                                                  • Opcode Fuzzy Hash: e4d82352877221a0b517692e33a5f3ddb88e79afc553e17f30fd7a49fed66e58
                                                                                                  • Instruction Fuzzy Hash: 0AF05876F0AD46C2EF148B81E86072873A2FB59F88F000034DA4D82324DE3CD190CB00
                                                                                                  Function 00007FFD6568B190 Relevance: 70.4, APIs: 14, Strings: 26, Instructions: 427memorylibraryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1001 7ffd6568b190-7ffd6568b1fb LoadLibraryExW GetCurrentProcess K32GetModuleInformation call 7ffd6568ac80 1004 7ffd6568b207-7ffd6568b210 1001->1004 1005 7ffd6568b1fd-7ffd6568b200 1001->1005 1006 7ffd6568b21d-7ffd6568b226 1004->1006 1007 7ffd6568b212-7ffd6568b216 1004->1007 1005->1004 1008 7ffd6568b228-7ffd6568b22c 1006->1008 1009 7ffd6568b233-7ffd6568b23c 1006->1009 1007->1006 1008->1009 1010 7ffd6568b249-7ffd6568b252 1009->1010 1011 7ffd6568b23e-7ffd6568b242 1009->1011 1012 7ffd6568b25f-7ffd6568b268 1010->1012 1013 7ffd6568b254-7ffd6568b258 1010->1013 1011->1010 1014 7ffd6568b275-7ffd6568b27c 1012->1014 1015 7ffd6568b26a-7ffd6568b26e 1012->1015 1013->1012 1016 7ffd6568b27e-7ffd6568b28a call 7ffd65652890 1014->1016 1017 7ffd6568b290-7ffd6568b2a5 1014->1017 1015->1014 1016->1017 1018 7ffd6568b35b-7ffd6568b362 1017->1018 1019 7ffd6568b2ab-7ffd6568b2b3 1017->1019 1023 7ffd6568b376-7ffd6568b383 1018->1023 1024 7ffd6568b364-7ffd6568b370 call 7ffd65652890 1018->1024 1021 7ffd6568b2b5-7ffd6568b2c8 1019->1021 1022 7ffd6568b309-7ffd6568b315 1019->1022 1021->1022 1028 7ffd6568b2ca-7ffd6568b2ec VirtualProtect 1021->1028 1029 7ffd6568b317-7ffd6568b34d call 7ffd65692550 1022->1029 1030 7ffd6568b34f-7ffd6568b356 call 7ffd656511b0 1022->1030 1026 7ffd6568b385-7ffd6568b38a 1023->1026 1027 7ffd6568b38c 1023->1027 1024->1023 1032 7ffd6568b3a2-7ffd6568b3af 1026->1032 1033 7ffd6568b38e-7ffd6568b39d 1027->1033 1034 7ffd6568b39f 1027->1034 1028->1022 1035 7ffd6568b2ee-7ffd6568b303 VirtualProtect 1028->1035 1029->1018 1029->1030 1030->1018 1039 7ffd6568b3b5-7ffd6568b3e1 call 7ffd6565d890 1032->1039 1040 7ffd6568b804-7ffd6568b830 1032->1040 1033->1032 1033->1034 1034->1032 1035->1022 1051 7ffd6568b515-7ffd6568b538 call 7ffd6565d890 1039->1051 1052 7ffd6568b3e7-7ffd6568b400 call 7ffd656511b0 1039->1052 1043 7ffd6568b83d-7ffd6568b844 1040->1043 1044 7ffd6568b832 1040->1044 1048 7ffd6568b846-7ffd6568b84d 1043->1048 1049 7ffd6568b84f-7ffd6568b85c call 7ffd6566cb20 1043->1049 1046 7ffd6568b870-7ffd6568b877 1044->1046 1047 7ffd6568b834-7ffd6568b83b 1044->1047 1053 7ffd6568b879-7ffd6568b885 call 7ffd65652890 1046->1053 1054 7ffd6568b88b-7ffd6568b895 1046->1054 1047->1043 1047->1046 1048->1046 1048->1049 1049->1046 1062 7ffd6568b85e-7ffd6568b869 call 7ffd65689ac0 1049->1062 1069 7ffd6568b665-7ffd6568b69c call 7ffd65688cc0 call 7ffd6565d890 1051->1069 1070 7ffd6568b53e-7ffd6568b572 call 7ffd656511b0 call 7ffd6565d890 1051->1070 1071 7ffd6568b416 1052->1071 1072 7ffd6568b402-7ffd6568b414 call 7ffd65652890 1052->1072 1053->1054 1059 7ffd6568b897-7ffd6568b89e 1054->1059 1060 7ffd6568b8a9-7ffd6568b8e4 call 7ffd6565d290 call 7ffd656511b0 call 7ffd65690ea0 1054->1060 1059->1060 1066 7ffd6568b8a0-7ffd6568b8a4 call 7ffd6568aad0 1059->1066 1062->1046 1083 7ffd6568b86b call 7ffd6565e860 1062->1083 1066->1060 1098 7ffd6568b6ca-7ffd6568b717 call 7ffd656511b0 * 2 VirtualProtect 1069->1098 1099 7ffd6568b69e-7ffd6568b6c4 call 7ffd6565d890 1069->1099 1070->1069 1101 7ffd6568b578-7ffd6568b5ad call 7ffd656511b0 call 7ffd6565d890 1070->1101 1079 7ffd6568b41c-7ffd6568b426 1071->1079 1072->1079 1080 7ffd6568b428 1079->1080 1081 7ffd6568b439-7ffd6568b45b call 7ffd6565d890 1079->1081 1088 7ffd6568b42e-7ffd6568b433 1080->1088 1089 7ffd6568b511 1080->1089 1081->1089 1100 7ffd6568b461-7ffd6568b478 call 7ffd656511b0 1081->1100 1083->1046 1088->1081 1088->1089 1089->1051 1110 7ffd6568b75f-7ffd6568b78f LoadLibraryExW GetCurrentProcess K32GetModuleInformation call 7ffd656890a0 1098->1110 1122 7ffd6568b719-7ffd6568b75a call 7ffd656ba7e0 VirtualProtect call 7ffd656511b0 1098->1122 1099->1098 1099->1110 1112 7ffd6568b486-7ffd6568b48a 1100->1112 1113 7ffd6568b47a-7ffd6568b47e 1100->1113 1101->1069 1121 7ffd6568b5b3-7ffd6568b5ca call 7ffd656511b0 1101->1121 1120 7ffd6568b794-7ffd6568b7b9 call 7ffd6565d890 1110->1120 1112->1089 1117 7ffd6568b490 1112->1117 1113->1112 1116 7ffd6568b480-7ffd6568b484 1113->1116 1123 7ffd6568b495-7ffd6568b49b 1116->1123 1117->1123 1132 7ffd6568b7f5-7ffd6568b7ff call 7ffd656511b0 1120->1132 1133 7ffd6568b7bb-7ffd6568b7f3 call 7ffd656511b0 call 7ffd65692550 1120->1133 1134 7ffd6568b5d8-7ffd6568b5dc 1121->1134 1135 7ffd6568b5cc-7ffd6568b5d0 1121->1135 1122->1110 1123->1089 1127 7ffd6568b49d-7ffd6568b4ce call 7ffd656511b0 VirtualProtect 1123->1127 1127->1089 1138 7ffd6568b4d0-7ffd6568b50c VirtualProtect call 7ffd656511b0 1127->1138 1132->1040 1133->1040 1133->1132 1134->1069 1141 7ffd6568b5e2 1134->1141 1135->1134 1140 7ffd6568b5d2-7ffd6568b5d6 1135->1140 1138->1089 1145 7ffd6568b5e7-7ffd6568b5ed 1140->1145 1141->1145 1145->1069 1147 7ffd6568b5ef-7ffd6568b620 call 7ffd656511b0 VirtualProtect 1145->1147 1147->1069 1151 7ffd6568b622-7ffd6568b660 VirtualProtect call 7ffd656511b0 1147->1151 1151->1069
                                                                                                  APIs
                                                                                                  • LoadLibraryExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B1C4
                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B1CD
                                                                                                  • K32GetModuleInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B1E3
                                                                                                    • Part of subcall function 00007FFD6568AC80: GetSystemDirectoryW.KERNEL32 ref: 00007FFD6568ACAB
                                                                                                    • Part of subcall function 00007FFD6568AC80: CreateFileW.KERNELBASE ref: 00007FFD6568ACF1
                                                                                                  • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B2E4
                                                                                                  • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B303
                                                                                                  • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B4C6
                                                                                                  • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B4FF
                                                                                                  • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B618
                                                                                                  • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B653
                                                                                                  • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B70F
                                                                                                  • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B74D
                                                                                                  • LoadLibraryExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B766
                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B76F
                                                                                                  • K32GetModuleInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFD6566E9FC), ref: 00007FFD6568B785
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual$CurrentInformationLibraryLoadModuleProcess$CreateDirectoryFileSystem
                                                                                                  • String ID: API-MS-WIN-CORE-REGISTRY-L1-1-0.DLL$Failed to hook CMultitaskingViewManager::_CreateXamlMTVHost(). rv = %d$Failed to hook PenMenuSystemTrayManager::GetDynamicSystemTrayHeightForMonitor(). rv = %d$PenMenuSystemTrayManager::GetDynamicSystemTrayHeightForMonitor() = %llX$RegGetValueW$Setup twinui.pcshell functions done$Windows.Internal.HardwareConfirmator.dll$[AC] Patched!$[AC] blockBegin = %llX$[AC] blockEnd = %llX$[AC] rcMonitorAssignment = %llX$[CC] Patched!$[CC] blockBegin = %llX$[CC] blockEnd = %llX$[CC] rcMonitorAssignment = %llX$[CC] rcWorkAssignment = %llX$[TV] Patched!$[TV] firstCallCall = %llX$[TV] firstCallPrep = %llX$twinui.pcshell.dll$x?xxx?xx?x????xxxx$x?xxxx?xx?x????xxxx$xxx?xxx?x???xxx$xxx?xxxxx?x$xxxx?xxxx?xxxxxxx?xxx$xxxx?xxxxx?x
                                                                                                  • API String ID: 823495189-2291248886
                                                                                                  • Opcode ID: 8854462bb2b8e82a1f37dfa626f4381d32bf278cabee296ad67b2b26d0c190aa
                                                                                                  • Instruction ID: 40c639635916ecce3774bb1baf8e7c9b997d7b877eb345d6363d7ed6a7954e09
                                                                                                  • Opcode Fuzzy Hash: 8854462bb2b8e82a1f37dfa626f4381d32bf278cabee296ad67b2b26d0c190aa
                                                                                                  • Instruction Fuzzy Hash: 35222621F08E4AD5EB50DFA1D8643B923A1EB40F98F944236DA0D476A5EF3CE9C9C750
                                                                                                  Function 00007FFD65689AC0 Relevance: 56.4, APIs: 12, Strings: 20, Instructions: 370memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1256 7ffd65689ac0-7ffd65689b22 call 7ffd6565d890 1259 7ffd65689b48-7ffd65689b7b call 7ffd6565d890 1256->1259 1260 7ffd65689b24-7ffd65689b34 1256->1260 1265 7ffd65689be6 1259->1265 1266 7ffd65689b7d-7ffd65689bba call 7ffd656511b0 call 7ffd6565d890 1259->1266 1260->1259 1261 7ffd65689b36-7ffd65689b43 call 7ffd656511b0 1260->1261 1261->1259 1267 7ffd65689be9-7ffd65689c11 call 7ffd6565d890 1265->1267 1266->1267 1278 7ffd65689bbc-7ffd65689be4 call 7ffd656511b0 1266->1278 1273 7ffd65689c37-7ffd65689c5a call 7ffd6565d890 1267->1273 1274 7ffd65689c13-7ffd65689c32 call 7ffd656511b0 1267->1274 1281 7ffd65689c87-7ffd65689cae call 7ffd6565d890 1273->1281 1282 7ffd65689c5c-7ffd65689c6c 1273->1282 1274->1273 1278->1267 1288 7ffd65689cb0-7ffd65689cc0 1281->1288 1289 7ffd65689cc2-7ffd65689ce2 call 7ffd6565d890 1281->1289 1282->1281 1284 7ffd65689c6e-7ffd65689c82 call 7ffd656511b0 1282->1284 1284->1281 1291 7ffd65689cf3-7ffd65689cf6 1288->1291 1294 7ffd65689d11-7ffd65689d37 call 7ffd6565d890 1289->1294 1295 7ffd65689ce4-7ffd65689cf0 1289->1295 1293 7ffd65689cf8-7ffd65689d0c call 7ffd656511b0 1291->1293 1291->1294 1293->1294 1299 7ffd65689d39-7ffd65689d4d call 7ffd656511b0 1294->1299 1300 7ffd65689d52-7ffd65689d78 call 7ffd6565d890 1294->1300 1295->1291 1299->1300 1304 7ffd65689dca-7ffd65689df0 call 7ffd6565d890 1300->1304 1305 7ffd65689d7a-7ffd65689dbe call 7ffd656511b0 call 7ffd6565d890 1300->1305 1311 7ffd65689e45-7ffd65689e48 1304->1311 1312 7ffd65689df2-7ffd65689e31 call 7ffd656511b0 call 7ffd6565d890 1304->1312 1305->1304 1319 7ffd65689dc0-7ffd65689dc8 1305->1319 1313 7ffd6568a0ab-7ffd6568a0b7 call 7ffd656511b0 1311->1313 1314 7ffd65689e4e-7ffd65689e54 1311->1314 1312->1311 1331 7ffd65689e33-7ffd65689e36 1312->1331 1325 7ffd6568a0b9-7ffd6568a0e6 call 7ffd65690ea0 1313->1325 1314->1313 1318 7ffd65689e5a-7ffd65689e5d 1314->1318 1318->1313 1322 7ffd65689e63-7ffd65689e69 1318->1322 1323 7ffd65689e39-7ffd65689e40 call 7ffd656511b0 1319->1323 1322->1313 1326 7ffd65689e6f-7ffd65689e72 1322->1326 1323->1311 1326->1313 1330 7ffd65689e78-7ffd65689e7b 1326->1330 1330->1313 1333 7ffd65689e81-7ffd65689e84 1330->1333 1331->1323 1333->1313 1334 7ffd65689e8a-7ffd65689e8d 1333->1334 1334->1313 1335 7ffd65689e93-7ffd65689e96 1334->1335 1335->1313 1336 7ffd65689e9c-7ffd65689eaa 1335->1336 1337 7ffd65689eac-7ffd65689ecf VirtualProtect 1336->1337 1338 7ffd65689eee-7ffd65689efc 1336->1338 1337->1338 1339 7ffd65689ed1-7ffd65689ee8 VirtualProtect 1337->1339 1340 7ffd65689efe-7ffd65689f21 VirtualProtect 1338->1340 1341 7ffd65689f40-7ffd65689f4e 1338->1341 1339->1338 1340->1341 1342 7ffd65689f23-7ffd65689f3a VirtualProtect 1340->1342 1343 7ffd65689f50-7ffd65689f73 VirtualProtect 1341->1343 1344 7ffd65689f92-7ffd65689fa0 1341->1344 1342->1341 1343->1344 1345 7ffd65689f75-7ffd65689f8c VirtualProtect 1343->1345 1346 7ffd65689fa2-7ffd65689fc5 VirtualProtect 1344->1346 1347 7ffd65689fe4-7ffd65689feb 1344->1347 1345->1344 1346->1347 1348 7ffd65689fc7-7ffd65689fde VirtualProtect 1346->1348 1349 7ffd6568a069-7ffd6568a076 1347->1349 1350 7ffd65689fed-7ffd6568a00e VirtualProtect 1347->1350 1348->1347 1352 7ffd6568a096-7ffd6568a09f call 7ffd656511b0 1349->1352 1353 7ffd6568a078-7ffd6568a094 call 7ffd65692550 1349->1353 1350->1349 1351 7ffd6568a010-7ffd6568a04b VirtualProtect * 2 1350->1351 1351->1349 1354 7ffd6568a04d-7ffd6568a063 VirtualProtect 1351->1354 1358 7ffd6568a0a4-7ffd6568a0a9 1352->1358 1353->1352 1353->1358 1354->1349 1358->1325
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual
                                                                                                  • String ID: Failed to hook CStartExperienceManager::GetMonitorInformation(). rv = %d$[SMA] CExperienceManagerAnimationHelper::Begin() = %llX$[SMA] CExperienceManagerAnimationHelper::End() = %llX$[SMA] CStartExperienceManager::GetMonitorInformation() = %llX$[SMA] Not all offsets were found, cannot perform patch$[SMA] matchAnimationHelperFields = %llX, +0x%X, +0x%X$[SMA] matchHideA in CStartExperienceManager::Hide() = %llX$[SMA] matchHideB in CStartExperienceManager::Hide() = %llX$[SMA] matchSingleViewShellExperienceFields = %llX$[SMA] matchTransitioningToCortanaField = %llX, +0x%X$[SMA] matchVtable = %llX$x??xxxxxx$xx????xx?xxxx$xx?x????x?xxxx????xxx?x$xxx????xx????xxxx$xxx????xxxxxxxxx$xxxx????xxxx$xxxxxx????x????xxxx$xxxxxxx????xxxxxxxxx$xxxxxxxxxx
                                                                                                  • API String ID: 544645111-3813412712
                                                                                                  • Opcode ID: 463401602733c6c049993bda1178c1a1fd5eb53c5a08e06d197a52809546894a
                                                                                                  • Instruction ID: 6ba4604e243e7980a5ea2b825c5f8c26aa2856a7fa1e60040d89302191fb9576
                                                                                                  • Opcode Fuzzy Hash: 463401602733c6c049993bda1178c1a1fd5eb53c5a08e06d197a52809546894a
                                                                                                  • Instruction Fuzzy Hash: 45025D21B19E4AC2EB60CFA5E8607AA63A1FF44B88F444536DA4D47B94DF3CE589C710
                                                                                                  Function 00007FFD6568AC80 Relevance: 47.6, APIs: 5, Strings: 22, Instructions: 332fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1442 7ffd6568ac80-7ffd6568acfe GetSystemDirectoryW call 7ffd656a7c0c CreateFileW 1445 7ffd6568ad00-7ffd6568ad0c call 7ffd656511b0 1442->1445 1446 7ffd6568ad11-7ffd6568ad60 GetFileSize call 7ffd656a7c98 ReadFile 1442->1446 1451 7ffd6568b171-7ffd6568b18c call 7ffd65690ea0 1445->1451 1452 7ffd6568ad66-7ffd6568ad6b 1446->1452 1453 7ffd6568b13c-7ffd6568b143 call 7ffd656511b0 1446->1453 1452->1453 1455 7ffd6568ad71-7ffd6568ad77 1452->1455 1460 7ffd6568b148-7ffd6568b169 call 7ffd656a7c84 CloseHandle 1453->1460 1458 7ffd6568ad79-7ffd6568ad85 call 7ffd65652890 1455->1458 1459 7ffd6568ad8b-7ffd6568ad95 1455->1459 1458->1459 1459->1460 1462 7ffd6568ad9b-7ffd6568ada5 1459->1462 1460->1451 1466 7ffd6568ada7-7ffd6568adc4 call 7ffd6565d890 1462->1466 1467 7ffd6568ade8-7ffd6568ae05 call 7ffd6565d890 1462->1467 1474 7ffd6568adc6-7ffd6568add0 1466->1474 1475 7ffd6568add2-7ffd6568add8 1466->1475 1472 7ffd6568ae07-7ffd6568ae1b 1467->1472 1473 7ffd6568ae5f-7ffd6568ae68 1467->1473 1472->1473 1477 7ffd6568ae1d-7ffd6568ae27 1472->1477 1478 7ffd6568ae76-7ffd6568ae7f 1473->1478 1479 7ffd6568ae6a-7ffd6568ae71 call 7ffd656511b0 1473->1479 1474->1475 1475->1467 1476 7ffd6568adda-7ffd6568ade3 call 7ffd656511b0 1475->1476 1476->1467 1483 7ffd6568ae35-7ffd6568ae3f 1477->1483 1484 7ffd6568ae29-7ffd6568ae32 1477->1484 1480 7ffd6568ae8d-7ffd6568ae98 1478->1480 1481 7ffd6568ae81-7ffd6568ae88 call 7ffd656511b0 1478->1481 1479->1478 1487 7ffd6568aed6-7ffd6568aee1 1480->1487 1488 7ffd6568ae9a-7ffd6568aeb7 call 7ffd6565d890 1480->1488 1481->1480 1489 7ffd6568ae4d-7ffd6568ae5a call 7ffd656511b0 1483->1489 1490 7ffd6568ae41-7ffd6568ae4a 1483->1490 1484->1483 1492 7ffd6568af1f-7ffd6568af2a 1487->1492 1493 7ffd6568aee3-7ffd6568af00 call 7ffd6565d890 1487->1493 1500 7ffd6568aeb9-7ffd6568aebd 1488->1500 1501 7ffd6568aec0-7ffd6568aec6 1488->1501 1489->1473 1490->1489 1495 7ffd6568af2c-7ffd6568af49 call 7ffd6565d890 1492->1495 1496 7ffd6568af6e-7ffd6568af79 1492->1496 1510 7ffd6568af09-7ffd6568af0f 1493->1510 1511 7ffd6568af02-7ffd6568af06 1493->1511 1513 7ffd6568af58-7ffd6568af5e 1495->1513 1514 7ffd6568af4b-7ffd6568af55 1495->1514 1502 7ffd6568af7b-7ffd6568af98 call 7ffd6565d890 1496->1502 1503 7ffd6568afdc-7ffd6568afe6 1496->1503 1500->1501 1501->1487 1508 7ffd6568aec8-7ffd6568aed1 call 7ffd656511b0 1501->1508 1523 7ffd6568afb9-7ffd6568afc3 1502->1523 1524 7ffd6568af9a-7ffd6568afb7 call 7ffd6565d890 1502->1524 1506 7ffd6568b086-7ffd6568b090 1503->1506 1507 7ffd6568afec-7ffd6568b00c call 7ffd6565d890 1503->1507 1506->1460 1516 7ffd6568b096-7ffd6568b0b3 call 7ffd6565d890 1506->1516 1527 7ffd6568b01b-7ffd6568b038 call 7ffd6565d890 1507->1527 1528 7ffd6568b00e-7ffd6568b019 1507->1528 1508->1487 1510->1492 1512 7ffd6568af11-7ffd6568af1a call 7ffd656511b0 1510->1512 1511->1510 1512->1492 1513->1496 1520 7ffd6568af60-7ffd6568af69 call 7ffd656511b0 1513->1520 1514->1513 1535 7ffd6568b0b5-7ffd6568b0bf 1516->1535 1536 7ffd6568b0c1-7ffd6568b0e1 call 7ffd6565d890 1516->1536 1520->1496 1525 7ffd6568afc6-7ffd6568afcc 1523->1525 1524->1523 1524->1525 1525->1503 1532 7ffd6568afce-7ffd6568afd7 call 7ffd656511b0 1525->1532 1538 7ffd6568b06f-7ffd6568b078 1527->1538 1544 7ffd6568b03a-7ffd6568b041 1527->1544 1533 7ffd6568b06c 1528->1533 1532->1503 1533->1538 1540 7ffd6568b120 1535->1540 1543 7ffd6568b123-7ffd6568b12c 1536->1543 1546 7ffd6568b0e3-7ffd6568b0e9 1536->1546 1538->1506 1542 7ffd6568b07a-7ffd6568b081 call 7ffd656511b0 1538->1542 1540->1543 1542->1506 1543->1460 1548 7ffd6568b12e-7ffd6568b13a call 7ffd656511b0 1543->1548 1549 7ffd6568b050-7ffd6568b053 1544->1549 1550 7ffd6568b043-7ffd6568b047 1544->1550 1551 7ffd6568b0eb-7ffd6568b0f0 1546->1551 1552 7ffd6568b0fc-7ffd6568b0fe 1546->1552 1548->1460 1549->1538 1553 7ffd6568b055 1549->1553 1550->1538 1555 7ffd6568b049-7ffd6568b04e 1550->1555 1551->1543 1557 7ffd6568b0f2-7ffd6568b0fa 1551->1557 1552->1543 1558 7ffd6568b100-7ffd6568b105 1552->1558 1556 7ffd6568b05a-7ffd6568b060 1553->1556 1555->1556 1556->1538 1560 7ffd6568b062-7ffd6568b06a 1556->1560 1561 7ffd6568b109-7ffd6568b114 1557->1561 1558->1561 1560->1533 1561->1543 1562 7ffd6568b116-7ffd6568b11e 1561->1562 1562->1540
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$CreateDirectoryReadSizeSystem_invalid_parameter_noinfo
                                                                                                  • String ID: CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc() = %lX$CLauncherTipContextMenu::GetMenuItemsAsync() = %lX$CLauncherTipContextMenu::ShowLauncherTipContextMenu() = %lX$CLauncherTipContextMenu::_ExecuteCommand() = %lX$CLauncherTipContextMenu::_ExecuteShutdownCommand() = %lX$CMultitaskingViewManager::_CreateDCompMTVHost() = %lX$CMultitaskingViewManager::_CreateXamlMTVHost() = %lX$Failed to open twinui.pcshell.dll$Failed to read twinui.pcshell.dll$ILauncherTipContextMenuVtbl = %lX$ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu() = %lX$ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu() = %lX$\twinui.pcshell.dll$xx?x????xx?xx?xxxx????x$xx?x????xxxxxxx????xxxx????x$xx?x????xxxxxxx????xxxx?xxx$xxx?????x?x??x??x?xxxxxxxx$xxx????xxxxxxxxx????xxxxxxx????xxxxxxx????xxxxxxx????xxxx$xxxx??x??x?xxxxxx????x$xxxx?xxxx?xxxxxxxxxxxxxxx$xxxxx????x????xxx$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                                                                                                  • API String ID: 1602095072-688399519
                                                                                                  • Opcode ID: 88517552822ccb7787b5f9b1f2ba9f59645bc4d2d2f66214d2ecf1fcfb0b0a1e
                                                                                                  • Instruction ID: 251890c862386d9d5b39d855b195750fb3e3aba84c91803636b6a01b2a8da6d5
                                                                                                  • Opcode Fuzzy Hash: 88517552822ccb7787b5f9b1f2ba9f59645bc4d2d2f66214d2ecf1fcfb0b0a1e
                                                                                                  • Instruction Fuzzy Hash: 34F17F62B0894AC6EB64DFA4D8603B933A1AF40F64F444731DA5E832E5DF3CE989C750
                                                                                                  Function 00007FFD656929B0 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 226windowmemoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1634 7ffd656929b0-7ffd656929f3 VirtualQuery 1635 7ffd656929f9 1634->1635 1636 7ffd65692a94-7ffd65692ad1 GetLastError FormatMessageA 1634->1636 1637 7ffd65692a00-7ffd65692a46 call 7ffd65692260 1635->1637 1638 7ffd65692ad7-7ffd65692ade 1636->1638 1639 7ffd65692d1b-7ffd65692d2b 1636->1639 1647 7ffd65692a48-7ffd65692a66 1637->1647 1648 7ffd65692a73-7ffd65692a8e VirtualQuery 1637->1648 1642 7ffd65692d4d-7ffd65692d62 call 7ffd656928a0 1638->1642 1641 7ffd65692d30-7ffd65692d37 1639->1641 1644 7ffd65692d39-7ffd65692d3b 1641->1644 1645 7ffd65692d3d-7ffd65692d41 1641->1645 1650 7ffd65692d67 1642->1650 1644->1645 1649 7ffd65692d43-7ffd65692d48 1644->1649 1645->1641 1645->1649 1647->1648 1652 7ffd65692a68-7ffd65692a71 1647->1652 1648->1636 1648->1637 1649->1642 1651 7ffd65692d6c-7ffd65692d89 call 7ffd65690ea0 1650->1651 1652->1648 1654 7ffd65692ae3-7ffd65692b1a call 7ffd65692260 VirtualAlloc 1652->1654 1658 7ffd65692b20-7ffd65692b5d GetLastError FormatMessageA 1654->1658 1659 7ffd65692bd1-7ffd65692c14 call 7ffd65692260 VirtualAlloc 1654->1659 1661 7ffd65692b68-7ffd65692b78 1658->1661 1662 7ffd65692b5f-7ffd65692b66 1658->1662 1669 7ffd65692c1a-7ffd65692c57 GetLastError FormatMessageA 1659->1669 1670 7ffd65692ccf-7ffd65692d19 call 7ffd65692260 1659->1670 1664 7ffd65692b80-7ffd65692b87 1661->1664 1663 7ffd65692b9d-7ffd65692bcc call 7ffd656928a0 1662->1663 1663->1651 1666 7ffd65692b89-7ffd65692b8b 1664->1666 1667 7ffd65692b8d-7ffd65692b91 1664->1667 1666->1667 1671 7ffd65692b93-7ffd65692b98 1666->1671 1667->1664 1667->1671 1674 7ffd65692c59-7ffd65692c60 1669->1674 1675 7ffd65692c62-7ffd65692c6e 1669->1675 1670->1651 1671->1663 1677 7ffd65692c8f-7ffd65692cca call 7ffd656928a0 VirtualFree 1674->1677 1678 7ffd65692c72-7ffd65692c79 1675->1678 1677->1650 1680 7ffd65692c7b-7ffd65692c7d 1678->1680 1681 7ffd65692c7f-7ffd65692c83 1678->1681 1680->1681 1682 7ffd65692c85-7ffd65692c8a 1680->1682 1681->1678 1681->1682 1682->1677
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$ErrorFormatLastMessage$AllocQuery$Free
                                                                                                  • String ID: change hint address from %p to %p$ commit memory %p for read-write (hint=%p, size=%llu)$ process map: %08llx-%08llx %s$ reserve memory %p (hint=%p, size=%llu)$Failed to commit memory %p for read-write (hint=%p, size=%llu, error=%lu(%s))$Failed to execute VirtualQuery (addr=%p, error=%lu(%s))$Failed to reserve memory %p (hint=%p, size=%llu, errro=%lu(%s))$Unknown Error$free$used
                                                                                                  • API String ID: 2999834170-966645287
                                                                                                  • Opcode ID: 8954e7f1f4c74206c707921dadd97844bae45565a732bf98f7726cddd87cb0b5
                                                                                                  • Instruction ID: 6b4ef4edc852c53e98b3d6cf4968150fff38ab8fa77e0d4650e1f7d3251e5a71
                                                                                                  • Opcode Fuzzy Hash: 8954e7f1f4c74206c707921dadd97844bae45565a732bf98f7726cddd87cb0b5
                                                                                                  • Instruction Fuzzy Hash: 80A16F21B1DE4BC6EB608B95E8603B563A1FB5AF88F440135D98D47BA4EF3CD595CB00
                                                                                                  Function 00007FFD656689C0 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 301threadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1684 7ffd656689c0-7ffd65668a72 1685 7ffd65668bba-7ffd65668bd0 1684->1685 1686 7ffd65668a78-7ffd65668a7b 1684->1686 1689 7ffd65668c77-7ffd65668cdc CreateWindowExW 1685->1689 1690 7ffd65668bd6-7ffd65668bdc 1685->1690 1687 7ffd65668a7d-7ffd65668a84 1686->1687 1688 7ffd65668ada-7ffd65668ae4 1686->1688 1691 7ffd65668a86-7ffd65668a8e 1687->1691 1688->1685 1694 7ffd65668aea-7ffd65668af1 1688->1694 1692 7ffd65668ce2-7ffd65668ce6 1689->1692 1693 7ffd65668eb5-7ffd65668edb call 7ffd65690ea0 1689->1693 1690->1689 1695 7ffd65668be2-7ffd65668be6 1690->1695 1698 7ffd65668a90-7ffd65668a9a 1691->1698 1699 7ffd65668aaa-7ffd65668ab1 1691->1699 1700 7ffd65668cec-7ffd65668cf6 1692->1700 1701 7ffd65668e36 1692->1701 1702 7ffd65668af4-7ffd65668afc 1694->1702 1695->1689 1696 7ffd65668bec-7ffd65668bef 1695->1696 1703 7ffd65668bf0-7ffd65668bf8 1696->1703 1698->1699 1705 7ffd65668a9c-7ffd65668aa4 1698->1705 1707 7ffd65668ab4-7ffd65668abe 1699->1707 1708 7ffd65668d00-7ffd65668d09 1700->1708 1706 7ffd65668e3d-7ffd65668e41 1701->1706 1709 7ffd65668afe-7ffd65668b08 1702->1709 1710 7ffd65668b16-7ffd65668b1d 1702->1710 1703->1689 1712 7ffd65668bfa-7ffd65668c04 1703->1712 1705->1691 1714 7ffd65668aa6 1705->1714 1706->1693 1715 7ffd65668e43-7ffd65668e4a 1706->1715 1707->1688 1716 7ffd65668ac0-7ffd65668ac8 1707->1716 1717 7ffd65668d0b-7ffd65668d16 1708->1717 1718 7ffd65668d35-7ffd65668d3f 1708->1718 1709->1710 1711 7ffd65668b0a-7ffd65668b12 1709->1711 1713 7ffd65668b20-7ffd65668b28 1710->1713 1711->1702 1720 7ffd65668b14 1711->1720 1712->1689 1721 7ffd65668c06-7ffd65668c0e 1712->1721 1713->1685 1723 7ffd65668b2e-7ffd65668b38 1713->1723 1714->1699 1724 7ffd65668e50-7ffd65668e5a 1715->1724 1725 7ffd65668aca-7ffd65668ad2 1716->1725 1726 7ffd65668ad6 1716->1726 1717->1718 1719 7ffd65668d18-7ffd65668d20 1717->1719 1722 7ffd65668d40-7ffd65668d48 1718->1722 1719->1708 1727 7ffd65668d22-7ffd65668d30 1719->1727 1728 7ffd65668b48-7ffd65668b8d call 7ffd656ba7e0 GetAncestor GetClassNameW 1720->1728 1721->1703 1729 7ffd65668c10-7ffd65668c49 call 7ffd656ba7e0 GetClassNameW 1721->1729 1730 7ffd65668d73-7ffd65668d77 1722->1730 1731 7ffd65668d4a-7ffd65668d54 1722->1731 1723->1685 1732 7ffd65668b3e-7ffd65668b46 1723->1732 1733 7ffd65668e70-7ffd65668e74 1724->1733 1734 7ffd65668e5c-7ffd65668e64 1724->1734 1725->1707 1735 7ffd65668ad4 1725->1735 1726->1688 1736 7ffd65668ea9-7ffd65668eaf #410 1727->1736 1750 7ffd65668b94-7ffd65668b9d 1728->1750 1749 7ffd65668c50-7ffd65668c59 1729->1749 1730->1701 1740 7ffd65668d7d-7ffd65668d87 1730->1740 1731->1730 1738 7ffd65668d56-7ffd65668d5e 1731->1738 1732->1713 1732->1728 1733->1693 1743 7ffd65668e76-7ffd65668e87 call 7ffd656a7df4 1733->1743 1741 7ffd65668edc-7ffd65668eea 1734->1741 1742 7ffd65668e66-7ffd65668e6e 1734->1742 1735->1688 1736->1693 1738->1722 1745 7ffd65668d60-7ffd65668d6e 1738->1745 1747 7ffd65668d90-7ffd65668d98 1740->1747 1741->1736 1742->1724 1742->1733 1743->1693 1757 7ffd65668e89-7ffd65668e99 FindWindowW 1743->1757 1745->1736 1751 7ffd65668dc3-7ffd65668dc7 1747->1751 1752 7ffd65668d9a-7ffd65668da4 1747->1752 1749->1689 1754 7ffd65668c5b-7ffd65668c66 1749->1754 1750->1685 1755 7ffd65668b9f-7ffd65668baa 1750->1755 1751->1701 1758 7ffd65668dc9 1751->1758 1752->1751 1756 7ffd65668da6-7ffd65668dae 1752->1756 1754->1689 1759 7ffd65668c68-7ffd65668c70 1754->1759 1755->1685 1760 7ffd65668bac-7ffd65668bb4 1755->1760 1756->1747 1761 7ffd65668db0-7ffd65668dbe 1756->1761 1757->1693 1762 7ffd65668e9b-7ffd65668ea2 1757->1762 1763 7ffd65668dd0-7ffd65668dd9 1758->1763 1759->1749 1765 7ffd65668c72 1759->1765 1760->1750 1766 7ffd65668bb6 1760->1766 1761->1736 1762->1736 1763->1706 1764 7ffd65668ddb-7ffd65668de6 1763->1764 1764->1706 1767 7ffd65668de8-7ffd65668df0 1764->1767 1765->1689 1766->1685 1767->1763 1768 7ffd65668df2-7ffd65668e34 #410 GetCurrentThreadId SetWindowsHookExW 1767->1768 1768->1693
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: #410ClassNameWindow$AncestorCreateCurrentFindHookThreadWindows
                                                                                                  • String ID: CabinetWClass$ClockButton$NotifyIconOverflowWindow$ReBarWindow32$Shell_SecondaryTrayWnd$Shell_TrayWnd$SysListView32$SysTreeView32$TrayClockWClass$TrayNotifyWnd$TrayShowDesktopButtonWClass
                                                                                                  • API String ID: 2746137922-373551488
                                                                                                  • Opcode ID: 7fff841f66bb9f0377a613a03398ed6c11275bed224b490feb09b733b40c26fb
                                                                                                  • Instruction ID: 62b745b67343563928c0b8aaba7395d7efcba3372d249fef88e78599c8910f86
                                                                                                  • Opcode Fuzzy Hash: 7fff841f66bb9f0377a613a03398ed6c11275bed224b490feb09b733b40c26fb
                                                                                                  • Instruction Fuzzy Hash: 6CE16DA6B48E4AC5EB649B95E42077973E1FB95F50F804131DE4E426A8EF3CE8D1C701
                                                                                                  Function 00007FFD6565E350 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 106registrywindowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$MessageProcRegister
                                                                                                  • String ID: Refreshed Spotlight$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarAl$TaskbarCreated$Windows.UI.Core.CoreWindow$d
                                                                                                  • API String ID: 136062168-2101710627
                                                                                                  • Opcode ID: 58ce70c73b0260ac4f8212daba56987900227f23a0229d149a55cebbedb80899
                                                                                                  • Instruction ID: 87b2ab270d020b4e06d3d3ff1160ed0e5a383d30f644a19bd59d0469cdb64dd7
                                                                                                  • Opcode Fuzzy Hash: 58ce70c73b0260ac4f8212daba56987900227f23a0229d149a55cebbedb80899
                                                                                                  • Instruction Fuzzy Hash: 40416665F5CE0BC5FF609BA1E9747B92361AF55FA4F440272D90F06690DF2CA8C4C601
                                                                                                  Function 00007FFD656890A0 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 202memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual$AddressHandleModuleOpenProcQueryValue
                                                                                                  • String ID: [HC] Patched!$[HC] cleanup = %llX-%llX$[HC] match1 = %llX$[HC] match2 = %llX$[HC] writeAt = %llX$xxx????xx$xxx?x$xxx?xxxx
                                                                                                  • API String ID: 1029361184-3401359449
                                                                                                  • Opcode ID: a7a250d5ffd1d1e887633173dbc5b9b45788254cce80a72b013f6192cd1d282f
                                                                                                  • Instruction ID: b76dece946b788c326601a3dc146f4fc9deddda517a5bdface7a816408ed8f79
                                                                                                  • Opcode Fuzzy Hash: a7a250d5ffd1d1e887633173dbc5b9b45788254cce80a72b013f6192cd1d282f
                                                                                                  • Instruction Fuzzy Hash: 46919821B18E5ACAEB10CFB1D8642B977B1AB44F88F448136CA0E17B89DE3CE585C750
                                                                                                  Function 00007FFD6565F530 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 92librarymemoryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual$ModuleStringWindows$AddressCreateCurrentDeleteHandleInformationLibraryLoadProcProcessReferenceValue
                                                                                                  • String ID: DllGetActivationFactory$Error in Windows11v22H2_combase_LoadLibraryExW on DllGetActivationFactory$Error in Windows11v22H2_combase_LoadLibraryExW on WindowsCreateStringReference$Windows.UI.Xaml.Hosting.WindowsXamlManager$Windows.UI.Xaml.dll
                                                                                                  • API String ID: 2113071911-1359692214
                                                                                                  • Opcode ID: 6a485842b1050d629c3e66bc8dcef4c77c58c436b41d0e9cebd794aef8aec54d
                                                                                                  • Instruction ID: 2d8d19cd44e9c53f1a9c003f9e1c1ab5205b675a04447f933401adfaebc90413
                                                                                                  • Opcode Fuzzy Hash: 6a485842b1050d629c3e66bc8dcef4c77c58c436b41d0e9cebd794aef8aec54d
                                                                                                  • Instruction Fuzzy Hash: 06411E66B19E4AC1EB60DFA1E960369A360FF88F94F441036EA4E47B64DF3CE595C700
                                                                                                  Function 00007FFD6566B780 Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 62registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: System$MetricsValue
                                                                                                  • String ID: &$'$9$Control Panel\Desktop\WindowMetrics$IconSpacing$IconVerticalSpacing$MinWidth
                                                                                                  • API String ID: 1597967150-2735893900
                                                                                                  • Opcode ID: 938e79a5f4417f6df2efa723607223f6b844bda69fdcea2ab12127382762ddd3
                                                                                                  • Instruction ID: 17b500aea19aa3d5f8d9b69cf8d1a13a3db9172cb6059c8dbb18b64597326345
                                                                                                  • Opcode Fuzzy Hash: 938e79a5f4417f6df2efa723607223f6b844bda69fdcea2ab12127382762ddd3
                                                                                                  • Instruction Fuzzy Hash: C7219E35B0CE4AC2EB609B91E4A43AA63A0FF84B40F900136E54D466B5DF7DE8C4C741
                                                                                                  Function 00007FFD65688CC0 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 121memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual
                                                                                                  • String ID: [TC] Patched!$[TC] blockBegin = %llX$[TC] blockEnd = %llX$[TC] rcMonitorAssignment = %llX$xxx??xxx?xx$xxx??xxx?xxx$xxx??xxxx?xx$xxx??xxxx?xxx
                                                                                                  • API String ID: 544645111-3560911239
                                                                                                  • Opcode ID: ed6e236de58509fe8fa8d4d2032086b5e9bdda05b63b4a47fc0754114a57bbae
                                                                                                  • Instruction ID: f2b606f625ee268be318599c6b6b559e9dc3c2b0d24d36f1d9a71a8dd2ae526d
                                                                                                  • Opcode Fuzzy Hash: ed6e236de58509fe8fa8d4d2032086b5e9bdda05b63b4a47fc0754114a57bbae
                                                                                                  • Instruction Fuzzy Hash: 3F518E21B08E4AD4EB61DFA5E4203A923A0EF54F84F484A32DA4D077A5EF3CE589C740
                                                                                                  Function 00007FFD6566D870 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00007FFD6565D290: GetModuleHandleExW.KERNEL32 ref: 00007FFD6565D2C6
                                                                                                    • Part of subcall function 00007FFD6565D290: ImageDirectoryEntryToDataEx.DBGHELP ref: 00007FFD6565D2F9
                                                                                                    • Part of subcall function 00007FFD6565D290: FreeLibrary.KERNEL32 ref: 00007FFD6565D32F
                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00007FFD656630C8), ref: 00007FFD6566D8F3
                                                                                                  • K32GetModuleInformation.KERNEL32(?,?,?,?,?,?,?,00007FFD656630C8), ref: 00007FFD6566D90A
                                                                                                    • Part of subcall function 00007FFD6565D290: FreeLibrary.KERNEL32 ref: 00007FFD6565D3B9
                                                                                                    • Part of subcall function 00007FFD6565D290: VirtualQuery.KERNEL32 ref: 00007FFD6565D3F8
                                                                                                    • Part of subcall function 00007FFD6565D290: VirtualProtect.KERNELBASE ref: 00007FFD6565D413
                                                                                                    • Part of subcall function 00007FFD6565D290: VirtualProtect.KERNEL32 ref: 00007FFD6565D43B
                                                                                                    • Part of subcall function 00007FFD6565D290: FreeLibrary.KERNEL32 ref: 00007FFD6565D446
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibraryVirtual$ModuleProtect$CurrentDataDirectoryEntryHandleImageInformationProcessQuery
                                                                                                  • String ID: CoCreateInstance$RegGetValueW$Setup pnidui functions done$TrackPopupMenu$api-ms-win-core-com-l1-1-0.dll$api-ms-win-core-registry-l1-1-0.dll$user32.dll$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                                                                                                  • API String ID: 430087472-2450567920
                                                                                                  • Opcode ID: 3b037ebd7788b0975fb2461225ebafcf1d17e905b054a30dc4e6bf20cf7efa66
                                                                                                  • Instruction ID: 9d81baad2ad0db7db62284d51d1cbe82b5f9382c551e2c886ccfbbc15083fdcf
                                                                                                  • Opcode Fuzzy Hash: 3b037ebd7788b0975fb2461225ebafcf1d17e905b054a30dc4e6bf20cf7efa66
                                                                                                  • Instruction Fuzzy Hash: D821F765B48E4FD1FB10AFA1E8612F52361AF89B84F844132E94E06665DF3CE6C9C781
                                                                                                  Function 00007FFD656662C0 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 46sleepwindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$FindSleep$EventVisible
                                                                                                  • String ID: Ended "Signal shell ready" thread.$Shell_TrayWnd$Start$Started "Signal shell ready" thread.
                                                                                                  • API String ID: 3652910701-782476775
                                                                                                  • Opcode ID: ff470a5cfa1aad5f53a553b29d150c7776198f7f2fe8c3796b60f2596c71c77a
                                                                                                  • Instruction ID: ea91cb8b257f15c5da6af90fb17a1dc4110b65517c728f00a02d87552d534c49
                                                                                                  • Opcode Fuzzy Hash: ff470a5cfa1aad5f53a553b29d150c7776198f7f2fe8c3796b60f2596c71c77a
                                                                                                  • Instruction Fuzzy Hash: 5C11F864F49E0BC2FB58AFE1E8387B526A1AF94F45F445039C50E962A0DE3CA4D9C741
                                                                                                  Function 00007FFD6566CB20 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 84registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID: CrashCounter$CrashCounterDisabled$CrashCounterThreshold$CrashThresholdTime$Software\ExplorerPatcher
                                                                                                  • API String ID: 3702945584-694238707
                                                                                                  • Opcode ID: a676f1da80b7d5bea20316a3c839fd19d2768aa93fa861a519cfd8a81d9524ca
                                                                                                  • Instruction ID: d5ca9b6637543191b3faa116fa494aa925f44bc131026e88dd4237d64de78d50
                                                                                                  • Opcode Fuzzy Hash: a676f1da80b7d5bea20316a3c839fd19d2768aa93fa861a519cfd8a81d9524ca
                                                                                                  • Instruction Fuzzy Hash: 65413672608F84CAEB109F98F450299B7B0FB84B54F904226EB9D07B98DF3ED195CB44
                                                                                                  Function 00007FFD6566C8F0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 56libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LibraryModuleProtectVirtual$CurrentFreeHandleInformationLoadProcess
                                                                                                  • String ID: AppResolver.dll$CAppResolverCacheBuilder::_AddUserPinnedShortcutToStart() = %llX$Failed to hook CAppResolverCacheBuilder::_AddUserPinnedShortcutToStart(). rv = %d$RoGetActivationFactory$api-ms-win-core-winrt-l1-1-0.dll$x?xxxx????xxx
                                                                                                  • API String ID: 1174645330-3507426587
                                                                                                  • Opcode ID: 950ea70501d1a6d9539e8decf97b80bcbbe605be67eeafb75732d5da7a487ddd
                                                                                                  • Instruction ID: 327ed7b03a58e30f3d97c128da994481f644ce5ca32e0e186a0111968d335948
                                                                                                  • Opcode Fuzzy Hash: 950ea70501d1a6d9539e8decf97b80bcbbe605be67eeafb75732d5da7a487ddd
                                                                                                  • Instruction Fuzzy Hash: 8A21F361F09E0BD1FF14ABA1E8753B56361AF44B94F444532D84E4A3A5EE3CE6CAC340
                                                                                                  Function 00007FFD656925E0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 161COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: failed to get page$ failed to make trampoline$Could not allocate memory near address %p$Could not modify already-installed funchook handle.
                                                                                                  • API String ID: 0-2189554615
                                                                                                  • Opcode ID: 0dcd918d6a9fb1b435397edfb2b92d1158f24f494b900e2e2f09df01581675ed
                                                                                                  • Instruction ID: 9a8f676a9348b3f3d1230cab2b97abce62b1004e6fa6ea46eb94035dea41ed7c
                                                                                                  • Opcode Fuzzy Hash: 0dcd918d6a9fb1b435397edfb2b92d1158f24f494b900e2e2f09df01581675ed
                                                                                                  • Instruction Fuzzy Hash: 74712B26B19F86C6DB608F55E8503AA73A0FB99B80F445035EE8E47B55EF3CE594C700
                                                                                                  Function 00007FFD65652890 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64registrylibraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressHandleModuleOpenProcQueryValue
                                                                                                  • String ID: RtlGetVersion$UBR$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                                                                                                  • API String ID: 3749297518-2374052841
                                                                                                  • Opcode ID: 9d87f9b91261a5ef74bccfdd57653f5feb03a1092f759d2651c69dcd4f025410
                                                                                                  • Instruction ID: aa0e6acd63b2bffaea784912ce6eb675de692a903989bb2525b54ee3dc8e3ba9
                                                                                                  • Opcode Fuzzy Hash: 9d87f9b91261a5ef74bccfdd57653f5feb03a1092f759d2651c69dcd4f025410
                                                                                                  • Instruction Fuzzy Hash: AE217C31B19E46C2EB50DB61E8A136973A0EB95F54F841131EA9E477A4EF3CD585CB00
                                                                                                  Function 00007FFD65693720 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68memorywindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$FormatMessageProtectVirtual
                                                                                                  • String ID: protect memory %p (size=%llu)$Failed to protect memory %p (size=%llu, error=%lu(%s))$Unknown Error
                                                                                                  • API String ID: 2888148163-2522531280
                                                                                                  • Opcode ID: f6b57e912bedf80b5fb7971f670bf1aa8c7e6dba204ad976d1cd2a023942e529
                                                                                                  • Instruction ID: 03d53cf4f8f7b9c5156e96a40022b177ca5de607ec7ab213eef0187ad40af17e
                                                                                                  • Opcode Fuzzy Hash: f6b57e912bedf80b5fb7971f670bf1aa8c7e6dba204ad976d1cd2a023942e529
                                                                                                  • Instruction Fuzzy Hash: C0315025B0CE8AC1EB608B91E4203BA63A0FB59F88F444136DA8D5BB58DF7CD495C744
                                                                                                  Function 00007FFD65693290 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67memorywindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$FormatMessageProtectVirtual
                                                                                                  • String ID: protect page %p (size=%llu, prot=read,exec)$Failed to protect page %p (size=%llu, prot=read,exec, error=%lu(%s))$Unknown Error
                                                                                                  • API String ID: 2888148163-3855186111
                                                                                                  • Opcode ID: d43fbaa4eeae4fc359402d00be4e85badc5513ee881c4fe30d7a734a902469b8
                                                                                                  • Instruction ID: d14e15f84483c062d659df9740bc0c1e7a416cf19ea9ff4d09a1ece20b8e4dc0
                                                                                                  • Opcode Fuzzy Hash: d43fbaa4eeae4fc359402d00be4e85badc5513ee881c4fe30d7a734a902469b8
                                                                                                  • Instruction Fuzzy Hash: E7315021B0CE8BC2EB608B96E8243AA63A0FB59F84F440136DA8D47B95DF3CD594C700
                                                                                                  Function 00007FFD6566AAB0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50memorystringregistryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify, xrefs: 00007FFD6566AAD8
                                                                                                  • Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB, xrefs: 00007FFD6566AB0F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual$Openlstrcmpilstrcpy
                                                                                                  • String ID: Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotSIB$Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify
                                                                                                  • API String ID: 3588037206-2075971939
                                                                                                  • Opcode ID: fe4b2c8db1d22a09de3faee1197f5fe09447eefd6e4f7c3f1b905d291895351f
                                                                                                  • Instruction ID: 143361c24bcfd1e14ccf81d109acf9ee3551a7a635f7de990216c1a91c28025f
                                                                                                  • Opcode Fuzzy Hash: fe4b2c8db1d22a09de3faee1197f5fe09447eefd6e4f7c3f1b905d291895351f
                                                                                                  • Instruction Fuzzy Hash: 2F112E61B18A4AC6EB509F52F820B6A6761BB89FD4F845035EE4E47B14DE3CD895C700
                                                                                                  Function 00007FFD6569155C Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                  • String ID:
                                                                                                  • API String ID: 190073905-0
                                                                                                  • Opcode ID: 3b4f6e87e4b416f9f5b326fcb725a3830c06083ff715e3015abc40643045dafa
                                                                                                  • Instruction ID: cec89a911118f8935f25a39a698ef3261bb784612e1d2d6c0b27f597f79ee621
                                                                                                  • Opcode Fuzzy Hash: 3b4f6e87e4b416f9f5b326fcb725a3830c06083ff715e3015abc40643045dafa
                                                                                                  • Instruction Fuzzy Hash: C2819E20F08E4BC6FB50ABE6D4713B96299AFA6F80F244535D90D87796DE3CE9C5C600
                                                                                                  Function 00007FFD6565D290 Relevance: 12.1, APIs: 8, Instructions: 118memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibraryVirtual$Protect$DataDirectoryEntryHandleImageModuleQuery_invalid_parameter_noinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 3041990818-0
                                                                                                  • Opcode ID: 4e1dd611ff582084d51b0f53564d14d9bfa321502564381179b35b6334ffa167
                                                                                                  • Instruction ID: 6cc3f60cb1323c8d1bcc09fef32db3e1f2f4bc8f037e4dd99c10f3c7dcb361bb
                                                                                                  • Opcode Fuzzy Hash: 4e1dd611ff582084d51b0f53564d14d9bfa321502564381179b35b6334ffa167
                                                                                                  • Instruction Fuzzy Hash: AC513162B58E46C2EB549B66E86037A63B0FB85F94F445035EB8E87798DE3CD5C4C700
                                                                                                  Function 00007FFD65679C13 Relevance: 10.7, APIs: 7, Instructions: 165registrysynchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseCreateWait$ChangeEventHandleMultipleNotifyObjectObjectsSingleValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3111792343-0
                                                                                                  • Opcode ID: 74ca69e78427847dc10dd3a75c1c6ffb019dad91667b60695c2db7a9a9389b48
                                                                                                  • Instruction ID: 3e4c2d0507f14cc74e7ad712ec950d18d345f54bc0092a4b389aaa60765c98f2
                                                                                                  • Opcode Fuzzy Hash: 74ca69e78427847dc10dd3a75c1c6ffb019dad91667b60695c2db7a9a9389b48
                                                                                                  • Instruction Fuzzy Hash: 4B615C32B15E4AC6EB54CBA5D4A477973A1FB84F98F088135DA5E477A4DE3CE882C700
                                                                                                  Function 00007FFD65692E20 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146memorywindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocErrorFormatLastMessageVirtual
                                                                                                  • String ID: commit page %p (base=%p(used=%d), idx=%llu, size=%llu)$Failed to commit page %p (base=%p(used=%d), idx=%llu, size=%llu, error=%lu(%s))$Unknown Error
                                                                                                  • API String ID: 1689221563-3447313879
                                                                                                  • Opcode ID: b44925e47d1e0ccb1ee2569ab82a625ac04b462aafab48c4de13057f39da817c
                                                                                                  • Instruction ID: 8fbd5e08aa57e9549c099bfc49815a31dbb91d78405ad6ea2b0848bd104d5093
                                                                                                  • Opcode Fuzzy Hash: b44925e47d1e0ccb1ee2569ab82a625ac04b462aafab48c4de13057f39da817c
                                                                                                  • Instruction Fuzzy Hash: F7518F35B09E8AC6EB20CB92E86076667A5FB59F84F440135ED8C47B54DF3CD596C700
                                                                                                  Function 00007FFD656B01F8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,?,0000D0719468BDAC,00007FFD656ABEC9,?,?,?,?,00007FFD656B04C2,?,?,00000000,00007FFD656B4E97,?,?,?), ref: 00007FFD656B0207
                                                                                                  • FlsSetValue.KERNEL32(?,?,0000D0719468BDAC,00007FFD656ABEC9,?,?,?,?,00007FFD656B04C2,?,?,00000000,00007FFD656B4E97,?,?,?), ref: 00007FFD656B023D
                                                                                                  • FlsSetValue.KERNEL32(?,?,0000D0719468BDAC,00007FFD656ABEC9,?,?,?,?,00007FFD656B04C2,?,?,00000000,00007FFD656B4E97,?,?,?), ref: 00007FFD656B026A
                                                                                                  • FlsSetValue.KERNEL32(?,?,0000D0719468BDAC,00007FFD656ABEC9,?,?,?,?,00007FFD656B04C2,?,?,00000000,00007FFD656B4E97,?,?,?), ref: 00007FFD656B027B
                                                                                                  • FlsSetValue.KERNEL32(?,?,0000D0719468BDAC,00007FFD656ABEC9,?,?,?,?,00007FFD656B04C2,?,?,00000000,00007FFD656B4E97,?,?,?), ref: 00007FFD656B028C
                                                                                                  • SetLastError.KERNEL32(?,?,0000D0719468BDAC,00007FFD656ABEC9,?,?,?,?,00007FFD656B04C2,?,?,00000000,00007FFD656B4E97,?,?,?), ref: 00007FFD656B02A7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 2506987500-0
                                                                                                  • Opcode ID: bdb54be4341d54bc273283cacb4df02bb34f6505d0b73b61a08f8a0cbfbe3732
                                                                                                  • Instruction ID: 0fbedf605784304c16d211bb72b6dadcddb10ad254765b360f69e91e75e8c3d2
                                                                                                  • Opcode Fuzzy Hash: bdb54be4341d54bc273283cacb4df02bb34f6505d0b73b61a08f8a0cbfbe3732
                                                                                                  • Instruction Fuzzy Hash: FD113834B09A8AC2FF64A7A1D67137962A2AF48FB0F140734DC2E066D6DE3DB4D1C600
                                                                                                  Function 00007FFD6566AC50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53registrystringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$AddressHandleModuleOpenProcQuerylstrcmp
                                                                                                  • String ID: ShowCortanaButton$TaskbarDa
                                                                                                  • API String ID: 4138643572-1008683796
                                                                                                  • Opcode ID: 9ca9e85aa57ae71f2ecce6068f2531ffac4e53ca24fc412a877a8943e03e930a
                                                                                                  • Instruction ID: 4107cf8ffad24638e4b1c9ef4617f4ca2533005c7c1a2bc6d9ae9d03437649e9
                                                                                                  • Opcode Fuzzy Hash: 9ca9e85aa57ae71f2ecce6068f2531ffac4e53ca24fc412a877a8943e03e930a
                                                                                                  • Instruction Fuzzy Hash: B421E635A08F85C6EB208F56F85425AB7A5FB88F84F444131EA8D43B68DF3CD494CB00
                                                                                                  Function 00007FFD6565D460 Relevance: 7.6, APIs: 5, Instructions: 105memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibraryProtectVirtual$HandleModule_invalid_parameter_noinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 172810297-0
                                                                                                  • Opcode ID: dae4ad9bb35fcd49da65b17bf2118d8f1734c85b4c447c57c7e2259dea9c94da
                                                                                                  • Instruction ID: 4c6f766776dcb2e6de047ef7899f238d2f1ab3f133e28bb72bfe83dbee225131
                                                                                                  • Opcode Fuzzy Hash: dae4ad9bb35fcd49da65b17bf2118d8f1734c85b4c447c57c7e2259dea9c94da
                                                                                                  • Instruction Fuzzy Hash: FC41FD62B48A4AC2EB648F51E86077A67B1FB89FD8F444035EE8E47794DE3CE594C700
                                                                                                  Function 00007FFD6566BE40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                  • String ID: NtUserFindWindowEx$win32u.dll
                                                                                                  • API String ID: 1646373207-2703420062
                                                                                                  • Opcode ID: 83859f7c66667c9c358b2b8106913d927510356cc0bb071f2510942001acc61e
                                                                                                  • Instruction ID: 04b063961598e3b3f5d78e204dbae7c20f9cedb08efc60ed0f94ee0eff1e824a
                                                                                                  • Opcode Fuzzy Hash: 83859f7c66667c9c358b2b8106913d927510356cc0bb071f2510942001acc61e
                                                                                                  • Instruction Fuzzy Hash: 2F018B2AB08E59C6EA00CF92F86062AA7A0BB48FD4F450531EE4D47725DF3CE492CB00
                                                                                                  Function 00007FFD6566D340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: SleepValue
                                                                                                  • String ID: CrashCounter$Software\ExplorerPatcher
                                                                                                  • API String ID: 1540188156-2892006628
                                                                                                  • Opcode ID: ed63f36741d272485b999506698d90b264502b0eb51f636bacafd351425c53ee
                                                                                                  • Instruction ID: 1098ee0fbab936947881e4d650b96924f18090cb41d6232c9b517163e6eed566
                                                                                                  • Opcode Fuzzy Hash: ed63f36741d272485b999506698d90b264502b0eb51f636bacafd351425c53ee
                                                                                                  • Instruction Fuzzy Hash: 14F03AA1B28E85C5EB40DB50E46435573B0FB48BA4F801231EA4E067A4DF3CD195CB00
                                                                                                  Function 00007FFD65692060 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32(?,00007FFD6569203B,?,?,00000000,00007FFD65661EA7), ref: 00007FFD65692145
                                                                                                  • FlushInstructionCache.KERNEL32(?,00007FFD6569203B,?,?,00000000,00007FFD65661EA7), ref: 00007FFD65692154
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CacheCurrentFlushInstructionProcess
                                                                                                  • String ID: Patched Instructions:
                                                                                                  • API String ID: 2564211676-4020029282
                                                                                                  • Opcode ID: f3366050c6bc144045223ff0fb4e42f33b3c7d9e2d4a1136741ca7e68a8572d8
                                                                                                  • Instruction ID: e26609457a9ca205da91cef1aa23ca825f10743a5497806d90ff8f80d9935ea7
                                                                                                  • Opcode Fuzzy Hash: f3366050c6bc144045223ff0fb4e42f33b3c7d9e2d4a1136741ca7e68a8572d8
                                                                                                  • Instruction Fuzzy Hash: 0A416D62B18A8AC1EB209BA1E8203AAA7A5FB55F84F404032DF4D53749EF7CD595C704
                                                                                                  Function 00007FFD656907D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Software\Classes\CLSID\{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}, xrefs: 00007FFD656907FF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseOpen
                                                                                                  • String ID: Software\Classes\CLSID\{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}
                                                                                                  • API String ID: 47109696-1447196730
                                                                                                  • Opcode ID: 459941ef0f60087ec151cbdb1b6a71f2f3f312f2b353b135781bacdd490fabe1
                                                                                                  • Instruction ID: 28244abd60bfa08dc687d95d5d426d42dae78cd579680fa9af4c9d6b9e564bb5
                                                                                                  • Opcode Fuzzy Hash: 459941ef0f60087ec151cbdb1b6a71f2f3f312f2b353b135781bacdd490fabe1
                                                                                                  • Instruction Fuzzy Hash: D2F09021B28F45C2EB408F66F8A072673A0FF98B94F802135E98E46B54DF2CD095CB00
                                                                                                  Function 00007FFD656ADBDC Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RtlFreeHeap.NTDLL(?,?,834800000B7CE800,00007FFD656B743A,?,?,?,00007FFD656B7477,?,?,00000000,00007FFD656B5459,?,?,00007FFD656ACF3A,00007FFD656B538B), ref: 00007FFD656ADBF2
                                                                                                  • GetLastError.KERNEL32(?,?,834800000B7CE800,00007FFD656B743A,?,?,?,00007FFD656B7477,?,?,00000000,00007FFD656B5459,?,?,00007FFD656ACF3A,00007FFD656B538B), ref: 00007FFD656ADBFC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 485612231-0
                                                                                                  • Opcode ID: 05ac9442f5ffea28a1eb1d21a830cbea16c909aefcadef8ffdc5edb47fdf31e1
                                                                                                  • Instruction ID: 0d2f310d2fcfaf0a8793470c6a00675e581cea30d26394fdb18de9729da89b2a
                                                                                                  • Opcode Fuzzy Hash: 05ac9442f5ffea28a1eb1d21a830cbea16c909aefcadef8ffdc5edb47fdf31e1
                                                                                                  • Instruction Fuzzy Hash: 05E0B664F19A4EC2FF286BF2D86537921B5AF89F40B444434D90A462A2EE2DA8D5C660
                                                                                                  Function 00007FFD656B2BF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 3215553584-0
                                                                                                  • Opcode ID: 3711b984e4991261f0e53ccc1e653d5e4836b509d74f60138b4e8019087179fd
                                                                                                  • Instruction ID: e4bdec168c3128e0d7381acd68a3a304a3e316c1c45b537e922db5bbd503f8a5
                                                                                                  • Opcode Fuzzy Hash: 3711b984e4991261f0e53ccc1e653d5e4836b509d74f60138b4e8019087179fd
                                                                                                  • Instruction Fuzzy Hash: 99116036B09E4AC6EA509F95E86037963A1FB40B40F054834D65D4B7A6DF3CE8A1C740
                                                                                                  Function 00007FFD656B7244 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b7a9823117b8e8457534ed740180dd486be6ae34585640664a697e8c0078950d
                                                                                                  • Instruction ID: a704f1f94e521bf5e289ec052969865cc7e693aaf81aea58909389c5c948555a
                                                                                                  • Opcode Fuzzy Hash: b7a9823117b8e8457534ed740180dd486be6ae34585640664a697e8c0078950d
                                                                                                  • Instruction Fuzzy Hash: C7F03A25F18E0EC4EE685BD5C8B13782661AF96F40F540672E60E863E6DA3DA1E5C601
                                                                                                  Function 00007FFD65691358 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFD6569136C
                                                                                                    • Part of subcall function 00007FFD6569A948: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FFD6569A950
                                                                                                    • Part of subcall function 00007FFD6569A948: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFD6569A955
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
                                                                                                  • String ID:
                                                                                                  • API String ID: 1208906642-0
                                                                                                  • Opcode ID: b849d5d5db9ec032d2834ab2f9a910a3d2d2ea980f48a76a8b15cbc11d9ac2e5
                                                                                                  • Instruction ID: 90368ee1ee771be45ce7a8c493141ec5b224a2dd8fcbbc7593bec260ec2f82ef
                                                                                                  • Opcode Fuzzy Hash: b849d5d5db9ec032d2834ab2f9a910a3d2d2ea980f48a76a8b15cbc11d9ac2e5
                                                                                                  • Instruction Fuzzy Hash: 6FE0B664F0CA4BD2FE982AE191323B812A81F37B44E6001B9D80D429939D2E61C7D222
                                                                                                  Function 00007FFD656ADB64 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00007FFD656B025A,?,?,0000D0719468BDAC,00007FFD656ABEC9,?,?,?,?,00007FFD656B04C2,?,?,00000000), ref: 00007FFD656ADBB9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 4292702814-0
                                                                                                  • Opcode ID: 55f2dc2961d20ebe61b3e15a53eaada1012a5273e33508384d1903945a15730e
                                                                                                  • Instruction ID: 6f705ff9e597dfb6f18982630e2d6bc5104de80aef7c5595ea4be31272b0b2f3
                                                                                                  • Opcode Fuzzy Hash: 55f2dc2961d20ebe61b3e15a53eaada1012a5273e33508384d1903945a15730e
                                                                                                  • Instruction Fuzzy Hash: 24F0F9A4B09A0FC5FF645AE5D9717B572A16F98F80F185430CD0E863E2EE2EE5D1C210
                                                                                                  Function 00007FFD656AE420 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • HeapAlloc.KERNEL32(?,?,?,00007FFD656B04A9,?,?,00000000,00007FFD656B4E97,?,?,?,00007FFD656ACC63,?,?,?,00007FFD656ACB59), ref: 00007FFD656AE45E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 4292702814-0
                                                                                                  • Opcode ID: 93e5887e88414e6a8d65827f5456db655349e80249961f9d2f06a4db9c598047
                                                                                                  • Instruction ID: 14df898b04df09efd7f8b554b8222ef42e0ee0f54bd6ff8d28d55a916a55581b
                                                                                                  • Opcode Fuzzy Hash: 93e5887e88414e6a8d65827f5456db655349e80249961f9d2f06a4db9c598047
                                                                                                  • Instruction Fuzzy Hash: D1F0DA20B19E4FC5FE645AF5E86137572959F84FA0F080734D92E862C2DD2DA8D1C510

                                                                                                  Non-executed Functions

                                                                                                  Function 00007FFD656751C0 Relevance: 252.9, APIs: 114, Strings: 29, Instructions: 2682COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: StringWindows$Delete$Buffer$ActivationCreateFactoryReference$MonitorRectWindow$FromInfo_invalid_parameter_noinfo
                                                                                                  • String ID: AcrylicBorder$ContentPaneGrid$ContentRoot$GridPane$NestedPanel$RootContent$RootGrid$ScrollContentPresenter$ScrollViewer$StartUI.SplitViewFrame$StartUI.StartSizingFrame$StartUI.StartSizingFramePanel$StartUI.TileGroupViewControl$StartUI.TileListViewItem$StartUI.TileViewControl$Windows.UI.Xaml.Controls.Border$Windows.UI.Xaml.Controls.Canvas$Windows.UI.Xaml.Controls.ContentPresenter$Windows.UI.Xaml.Controls.Frame$Windows.UI.Xaml.Controls.Grid$Windows.UI.Xaml.Controls.Image$Windows.UI.Xaml.Controls.ItemsPresenter$Windows.UI.Xaml.Controls.TileGrid$Windows.UI.Xaml.Media.VisualTreeHelper$Windows.UI.Xaml.Window$contentPresenter$gridRoot$groupItems$page
                                                                                                  • API String ID: 347649780-2825766018
                                                                                                  • Opcode ID: e5b07c0f267d911b8b8bbf6575401f784d53ce77ca5a286dc459bbc077433eff
                                                                                                  • Instruction ID: 22c207719c570c82770ce415f9e00870c1fbc3cc1b3e22a8c4da63ab6f46d7c6
                                                                                                  • Opcode Fuzzy Hash: e5b07c0f267d911b8b8bbf6575401f784d53ce77ca5a286dc459bbc077433eff
                                                                                                  • Instruction Fuzzy Hash: A153D736704F8ACADB649F66D8942AD2765FB88F89F004126DE1E4BB68DF39D585C300
                                                                                                  Function 00007FFD65686DE0 Relevance: 149.6, APIs: 75, Strings: 10, Instructions: 867windowregistryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Rect$Client$Find$Message$Send$Invalidate$ClassVisibleWord$Move$ParentPropRegister$Monitor$FromInfoLongNotifyRemove
                                                                                                  • String ID: !@$EPTBLEN$MSTaskListWClass$MSTaskSwWClass$PeopleBand$ReBarWindow32$Start$TrayButton$TrayDummySearchControl$TraySettings
                                                                                                  • API String ID: 2509908205-217918233
                                                                                                  • Opcode ID: 711883755e967174166c771be66c080798932c6e11d56cd6f74aa121bd91870f
                                                                                                  • Instruction ID: aa2cba19f0da3449e555450429bf295c0d61d2a49fea8765420efd9646497d2a
                                                                                                  • Opcode Fuzzy Hash: 711883755e967174166c771be66c080798932c6e11d56cd6f74aa121bd91870f
                                                                                                  • Instruction Fuzzy Hash: B2825D76B08A4ACAEB14CFA5E8607A967A1FB88F88F044135DE0957B58DF3DE584C700
                                                                                                  Function 00007FFD65655380 Relevance: 146.8, APIs: 76, Strings: 7, Instructions: 1511windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Object$Select$Delete$CreateTheme$Text$CompatibleDraw$AlphaBlendPerformanceQuery$ActiveBitsStretchWindow$ColorCountCounterFrequencyGdipInfoPaintTick$AttributeBeginClientCompositionEnabledEventFromGraphicsHandleIconLayeredLoadModeModuleParametersRectResetSectionStringSystemUpdateVisible_invalid_parameter_noinfo
                                                                                                  • String ID: $ $%$(%d) $Desktop$ExplorerFrame.dll$\rundll32.exe
                                                                                                  • API String ID: 3026936367-3704886723
                                                                                                  • Opcode ID: 8004d31d2916429a112b036949a7ced1a4dc0d09858fd7f6daf62b0a02ee4215
                                                                                                  • Instruction ID: 11e8ca13ec1a93c35152c525bc0ef81962a614113ff3ac256f12718cb8df9e99
                                                                                                  • Opcode Fuzzy Hash: 8004d31d2916429a112b036949a7ced1a4dc0d09858fd7f6daf62b0a02ee4215
                                                                                                  • Instruction Fuzzy Hash: 16F28E32B08B85CAEB65CF65D8647E977A1FB54B88F004236DA4A57B94DF3CE584CB00
                                                                                                  Function 00007FFD6568DD30 Relevance: 98.2, APIs: 7, Strings: 49, Instructions: 183registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue$CreateStringWindows$InternetOpen$BufferCloseDeleteEvent_invalid_parameter_noinfo
                                                                                                  • String ID: /download/$/update_silent$CheckElevationEnabled$ConsentPromptBehaviorAdmin$ExplorerPatcher$ExplorerPatcher$ExplorerPatcher_GUI_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$FilterAdministratorToken$S-1-5-$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System$Software\ExplorerPatcher$UpdateAllowDowngrades$UpdatePreferStaging$UpdateTimeout$UpdateURL$UpdateURLStaging$UpdateUseLocal$Windows.Data.Json.JsonArray$[Updates] Checking against hash "%s"$[Updates] Download path is "%s".$[Updates] Downloaded finished.$[Updates] Failed. Read %d bytes.$[Updates] Hash of remote file is "%s" (%s).$[Updates] In order to install this update for the product "ExplorerPatcher", please allow the request.$[Updates] Local version obtained from hash is %d.%d.%d.%d.$[Updates] Prerelease update URL: "%s"$[Updates] Release notes URL: "%s"$[Updates] Update URL: %s$[Updates] Update failed because the following error has occured: %d.$[Updates] Update failed because the request was denied.$[Updates] Update successful, File Explorer will probably restart momentarily.$\ExplorerPatcher$\ExplorerPatcher\ep_gui.dll$\Update for ExplorerPatcher from $\WindowsPowerShell\v1.0\powershell.exe$assets$browser_download_url$ep_setup.exe$html_url$https://api.github.com/repos/valinet/ExplorerPatcher/releases?per_page=1$https://github.com/valinet/ExplorerPatcher/releases/latest$iex (irm 'https://raw.githubusercontent.com/valinet/ep_make/master/ep_make_safe.ps1')$invalid$kernel32.dll$name$open$runas$updates.cpp$valid
                                                                                                  • API String ID: 1866200-3143775457
                                                                                                  • Opcode ID: f48a65fc542332675df43c0f4c3631243fcddafdc05fa17b4744a3873ee274da
                                                                                                  • Instruction ID: 0bc15d08beae060aa0022ef3be7683ccfd2939225d8f981b67e31ea0971e3ba1
                                                                                                  • Opcode Fuzzy Hash: f48a65fc542332675df43c0f4c3631243fcddafdc05fa17b4744a3873ee274da
                                                                                                  • Instruction Fuzzy Hash: B4910C72B18E55DAFB208BA4E8547DE77B0FB84758F500236DA4D57AA8DF38D189CB00
                                                                                                  Function 00007FFD6568E620 Relevance: 88.1, APIs: 33, Strings: 17, Instructions: 568filelibrarymemoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Load$String$FileResource$CloseFree$CreateHandleLibrary$InfoLocalLocaleQueryValueView_invalid_parameter_noinfo$AllocFindFolderLanguagesLockMappingModuleNamePathPreferredSizeofThreadUnmap
                                                                                                  • String ID: <progress value="{progressValue}" status="{progressStatus}"/>$<actions><action content="%s" arguments="%s"/></actions>$<toast scenario="reminder" activationType="protocol" launch="%s" duration="%s"><visual><binding template="ToastGeneric">$This$[Updates] An update is available.$[Updates] Configured update policy on this system: "Check for updates but let me choose whether to download and install them".$[Updates] Configured update policy on this system: "Install updates automatically".$[Updates] Configured update policy on this system: "Manually check for updates".$[Updates] No updates are available.$[Updates] Path to module: %s$[Updates] Unable to check for updates because the remote server is unavailable.$[Updates] Using hardcoded hash.$\ExplorerPatcher\ep_gui.dll$action=update$https://github.com/valinet/ExplorerPatcher/releases/latest$long$short
                                                                                                  • API String ID: 3445338827-2029114158
                                                                                                  • Opcode ID: 6f9a3a13e40f8a26155c297df19f68e736b4aeb311e71b466cd00d917e358fc6
                                                                                                  • Instruction ID: bedbd05e4e8aac9ed07061110972f06212962180d0059099b18caf2d7c8738c9
                                                                                                  • Opcode Fuzzy Hash: 6f9a3a13e40f8a26155c297df19f68e736b4aeb311e71b466cd00d917e358fc6
                                                                                                  • Instruction Fuzzy Hash: 32523D32B18F8AC6EB608F65D8607EA63A0FB85B48F405231DA4D17B59EF3CD695C740
                                                                                                  Function 00007FFD656601B0 Relevance: 77.4, APIs: 39, Strings: 5, Instructions: 375windowkeyboardregistryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Menu$Load$DeleteHandleModule$AsyncStateString$#413MessageModifyRegisterWindow
                                                                                                  • String ID: %SystemRoot%\system32\taskmgr.exe$ExplorerFrame.dll$P$Windows11ContextMenu_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$c
                                                                                                  • API String ID: 2510583281-2371452002
                                                                                                  • Opcode ID: f9d560b070c91b04f8ca3e6fc8ef0ada0cda45978650c2a06835ca219aa19d69
                                                                                                  • Instruction ID: 6bd9fd49f3bfec75127390b92ea65b11321d3eff619ce2ff89ebbb2aaae04c0f
                                                                                                  • Opcode Fuzzy Hash: f9d560b070c91b04f8ca3e6fc8ef0ada0cda45978650c2a06835ca219aa19d69
                                                                                                  • Instruction Fuzzy Hash: A7F16D35F58E4AC6FB648BA1E8247B923A1FF85F58F405135C90E4AA94DF3CA586CB01
                                                                                                  Function 00007FFD65666380 Relevance: 77.3, APIs: 23, Strings: 21, Instructions: 289registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue$Unregister$Register$ErrorLast$AttributeWindow$CloseCreate$AreaClientExtendFrameIntoVirtual
                                                                                                  • String ID: AltTabSettings$AlwaysUseWindowTitleAndIcon$ColorScheme$CornerPreference$IncludeWallpaper$MasterPadding$MaxHeight$MaxHeightAbs$MaxWidth$MaxWidthAbs$NoPerApplicationList$PerMonitor$PrimaryOnly$RowHeight$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer$ScrollWheelBehavior$ScrollWheelInvert$ShowDelay$Software\ExplorerPatcher\sws$SwitcherIsPerApplication$Theme
                                                                                                  • API String ID: 120246194-1466656710
                                                                                                  • Opcode ID: 08e0dc4a089c58c7e65733ad880e94a8016b912be8f752c570bb8e0c7e152e0d
                                                                                                  • Instruction ID: c4566b3f5f46fca9207372348f483de9d24a76425329b268b89ce1dee212e52c
                                                                                                  • Opcode Fuzzy Hash: 08e0dc4a089c58c7e65733ad880e94a8016b912be8f752c570bb8e0c7e152e0d
                                                                                                  • Instruction Fuzzy Hash: 80F1F576B14B56CAEB208FA0E454B9D77B4F788B58F841235DA8C17B28DF38C199CB14
                                                                                                  Function 00007FFD65688190 Relevance: 73.9, APIs: 39, Strings: 3, Instructions: 401registrysynchronizationwindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Monitor$From$CursorPoint$FindInfoRect$Class$ActiveCloseCreateHandleMessageNameObjectRegisterSingleThemeThreadWaitWord
                                                                                                  • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd$Start
                                                                                                  • API String ID: 3963456163-2175658619
                                                                                                  • Opcode ID: 1f3180e44d35f91ef1a9850fb378fe04d911e7c89125ff2bf70966cd8cc43956
                                                                                                  • Instruction ID: e4803e62d002b671e426b1d8178b083e333ea8ae77345c1ca3c02cfbf28c42f7
                                                                                                  • Opcode Fuzzy Hash: 1f3180e44d35f91ef1a9850fb378fe04d911e7c89125ff2bf70966cd8cc43956
                                                                                                  • Instruction Fuzzy Hash: 2D126D76B08E46C6EB158BA5E4643AA73B1FB88F94F044235DA4E57B68DF3CE481C700
                                                                                                  Function 00007FFD656847D0 Relevance: 68.5, APIs: 18, Strings: 21, Instructions: 256registrymemoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$Create$CloseDirectoryFileProtectSystemVirtual_invalid_parameter_noinfo$AddressErrorHandleLastModuleOpenProcQuery
                                                                                                  • String ID: .dll$CImmersiveContextMenuOwnerDrawHelper::s_ContextMenuWndProc$CLauncherTipContextMenu::GetMenuItemsAsync$CLauncherTipContextMenu::ShowLauncherTipContextMenu$CLauncherTipContextMenu::_ExecuteCommand$CLauncherTipContextMenu::_ExecuteShutdownCommand$CMultitaskingViewManager::_CreateDCompMTVHost$CMultitaskingViewManager::_CreateXamlMTVHost$Hash$ImmersiveContextMenuHelper::ApplyOwnerDrawToMenu$ImmersiveContextMenuHelper::RemoveOwnerDrawFromMenu$Software\ExplorerPatcher\twinui.pcshell$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\twinui.pcshell.dll$twinui.pcshell
                                                                                                  • API String ID: 2736650789-497210955
                                                                                                  • Opcode ID: 0675f4ab8254927a775032cea71827116847c6cb81a9a532533a81f165ca049e
                                                                                                  • Instruction ID: f03bfac562afb6789510bfdac11a5dc05b5349a5e8bbcdca33ecb28be491c79b
                                                                                                  • Opcode Fuzzy Hash: 0675f4ab8254927a775032cea71827116847c6cb81a9a532533a81f165ca049e
                                                                                                  • Instruction Fuzzy Hash: 64D16775B18E4AC6EB20DF94E8603A97375FB84B58F404131DA8D47AA4DFBCD589C740
                                                                                                  Function 00007FFD65670370 Relevance: 63.3, APIs: 24, Strings: 12, Instructions: 291registrywindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseCreateErrorLastModule$ExtensionFileLoadNamePathRemoveString$AllocateAwarenessCheckContextCurrentDirectoryExecuteFreeHandleInitializeMembershipMessageProcessShellToken
                                                                                                  • String ID: .IA-32.dll$Apartment$DriveMask$MessageBoxW$SOFTWARE\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}\InProcServer32$SOFTWARE\Classes\Drive\shellex\FolderExtensions\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$SOFTWARE\WOW6432Node\Classes\CLSID\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}\InProcServer32$ThreadingModel$\ExplorerPatcher.amd64.dll"$ext-ms-win-ntuser-dialogbox-l1-1-0.dll$p$runas
                                                                                                  • API String ID: 3183597740-1688178669
                                                                                                  • Opcode ID: ceaab783ba9ea9b201be885b6fc26ef9a5b853ab2f436d5dad6f9baee700225c
                                                                                                  • Instruction ID: 0e7a231d3e9dc339eefb832af4f3c1fe7cc862f1366e946ad89e4aec07ce02ed
                                                                                                  • Opcode Fuzzy Hash: ceaab783ba9ea9b201be885b6fc26ef9a5b853ab2f436d5dad6f9baee700225c
                                                                                                  • Instruction Fuzzy Hash: EFE15171B18F86C6EB209FA0E4643AA73A1FB84B64F404235DA9D47B98DF7DD195CB00
                                                                                                  Function 00007FFD6566F5E0 Relevance: 61.6, APIs: 20, Strings: 15, Instructions: 322registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue$CloseCreate
                                                                                                  • String ID: ForceStartSize$MakeAllAppsDefault$MonitorOverride$NoStartMenuMorePrograms$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer$SOFTWARE\Policies\Microsoft\Windows\Explorer$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$StartDocked_DisableRecommendedSection$StartUI_EnableRoundedCorners$StartUI_ShowMoreTiles$Start_MaximumFrequentApps$Start_ShowClassicMode$TaskbarAl
                                                                                                  • API String ID: 2657993070-1512199074
                                                                                                  • Opcode ID: 7e91b4fd689718da68debbc9959a60179704b034e2a6f1ebd680488db1f3f30f
                                                                                                  • Instruction ID: 8ac55778d7ff58a84100c7b263a24c837c2098b2a920f0f9fd74df0b5a918b78
                                                                                                  • Opcode Fuzzy Hash: 7e91b4fd689718da68debbc9959a60179704b034e2a6f1ebd680488db1f3f30f
                                                                                                  • Instruction Fuzzy Hash: E9F1F476F18B06CAEB10CFA0E4A07A977B4FB84B58F500635DA4D52A68DF3CD184CB50
                                                                                                  Function 00007FFD6568BD00 Relevance: 54.8, APIs: 21, Strings: 10, Instructions: 574libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: String$Windows$CreateReference$ByteDeleteFormatLibraryLoadSize$ActivateCounterFolderFreeInstancePathPerformanceQuery_invalid_parameter_noinfo
                                                                                                  • String ID: %s / %s$EP_Ev_InstallUpdatesNoConfirm_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$Windows.UI.Notifications.NotificationData$\ExplorerPatcher\ep_gui.dll$action=update$ep_updates$indeterminate$progressStatus$progressValue$updates.cpp
                                                                                                  • API String ID: 2375332063-2428038664
                                                                                                  • Opcode ID: d9f4d5dde8a7d03f1098689d6001779440e47441b912f1d012fa573a0040d778
                                                                                                  • Instruction ID: 5fce03132a53b0eb6e4c3190f16605a54d42ae29e09f3f4347de8268888e156e
                                                                                                  • Opcode Fuzzy Hash: d9f4d5dde8a7d03f1098689d6001779440e47441b912f1d012fa573a0040d778
                                                                                                  • Instruction Fuzzy Hash: 62324D32B08F4AC6EB149BA5E4607AE6361FB84F84F444636DA4E57B64DF3CD489C700
                                                                                                  Function 00007FFD65684420 Relevance: 52.7, APIs: 13, Strings: 17, Instructions: 191registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$Create$CloseDirectoryFileWindows_invalid_parameter_noinfo$ErrorLast
                                                                                                  • String ID: CTaskBand_CreateInstance$HandleFirstTimeLegacy$Hash$ImmersiveTray::AttachWindowToTray$ImmersiveTray::RaiseWindow$SetColorPreferenceForLogonUI$Software\ExplorerPatcher\explorer$TrayUI::_UpdatePearlSize$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\explorer.exe$\explorer.exe
                                                                                                  • API String ID: 3922731654-964289750
                                                                                                  • Opcode ID: 106e1ce24d9322d45e8a4499fdd46a895db9c7ec386d72e10d2cb2b8b8a8a8c4
                                                                                                  • Instruction ID: 1c6219cb4815aeca65aa03f8f23e2a2b809bc21e46a00c62a03bba1875e84bea
                                                                                                  • Opcode Fuzzy Hash: 106e1ce24d9322d45e8a4499fdd46a895db9c7ec386d72e10d2cb2b8b8a8a8c4
                                                                                                  • Instruction Fuzzy Hash: 0DA17972B18E46C6EB20DFA4E4607A97371FB84B58F404231DA8D47AA9DFBCD189C740
                                                                                                  Function 00007FFD65663350 Relevance: 51.0, APIs: 19, Strings: 10, Instructions: 297synchronizationregistrythreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Create$CloseHandleObjectSingleWait$ExecuteInstanceQueryShellStringThreadWindows$AddressDeleteModuleOpenProcReferenceServiceSleepUnknown_Value
                                                                                                  • String ID: Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$ReplaceVan$SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Network$ShowVAN$ms-availablenetworks:$ms-settings:network$open$shell:::{7007ACC7-3202-11D1-AAD2-00805FC1270E}$shell:::{8E908FC9-BECC-40f6-915B-F4CA0E70D03D}$van.dll
                                                                                                  • API String ID: 1920378819-2880650144
                                                                                                  • Opcode ID: b675cd6dceb69a7e36282b34b0d70cd36532ff9b7445b0c106042c40146c3297
                                                                                                  • Instruction ID: 11a5e3d9154848ba47cbee303f42bf4b9e673c3f28a6a8cc5e0ed7a9c29d079c
                                                                                                  • Opcode Fuzzy Hash: b675cd6dceb69a7e36282b34b0d70cd36532ff9b7445b0c106042c40146c3297
                                                                                                  • Instruction Fuzzy Hash: AFE12335F58E4AC6FB649BE1E8707B923A1AF84B58F50413AD90E476A4DF3CA8C4C701
                                                                                                  Function 00007FFD6565CE30 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 248fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile$CloseHandleMapping_invalid_parameter_noinfo
                                                                                                  • String ID: %08lX%04hX%04hX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX$%x/$/download/symbols/$RSDS
                                                                                                  • API String ID: 1983873661-2402091955
                                                                                                  • Opcode ID: 487057ca424dff22dcf5c02e0f811aaff343f7eb314c5405646703778120c259
                                                                                                  • Instruction ID: 9d1a51d6b69290527ecf6b719a37c4cdf70dea0eb9f5c748176ba5312ef04905
                                                                                                  • Opcode Fuzzy Hash: 487057ca424dff22dcf5c02e0f811aaff343f7eb314c5405646703778120c259
                                                                                                  • Instruction Fuzzy Hash: 01B18971B08A8AC6EB249B91E4247B967B0FB85F54F444131DA5A07BD4DF3CE6E5C700
                                                                                                  Function 00007FFD65684CE0 Relevance: 50.9, APIs: 12, Strings: 17, Instructions: 182registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$Create$CloseDirectoryFileWindows_invalid_parameter_noinfo$ErrorLast
                                                                                                  • String ID: .dll$Hash$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartDocked$StartDocked$StartDocked::LauncherFrame::OnVisibilityChanged$StartDocked::LauncherFrame::ShowAllApps$StartDocked::StartSizingFrame::StartSizingFrame$StartDocked::SystemListPolicyProvider::GetMaximumFrequentApps$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartDocked.dll
                                                                                                  • API String ID: 3922731654-50308056
                                                                                                  • Opcode ID: 57d90254c9c19c550f591e3b05eaf88ccb49ecfd7eea07f34ada1ed5097ac538
                                                                                                  • Instruction ID: 4671ba4678b862652cbc76bf39e9225bf81577a2ce267fdc587990fdebbba3e2
                                                                                                  • Opcode Fuzzy Hash: 57d90254c9c19c550f591e3b05eaf88ccb49ecfd7eea07f34ada1ed5097ac538
                                                                                                  • Instruction Fuzzy Hash: BD916972B18E46D6EB20DFA4E8607A97370FB94B58F404232DA8D47AA5DF7CD189C740
                                                                                                  Function 00007FFD65685070 Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 174registryfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseFind$DirectoryValueWindows$FileFirstOptions$CreateInfoInitializeSystem_invalid_parameter_noinfo
                                                                                                  • String ID: Hash$Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher\StartUI$StartUI.dll$StartUI::SystemListPolicyProvider::GetMaximumFrequentApps$StartUI_.dll$Version$[Symbols] Downloading symbols for "%s" ("%s")...$[Symbols] Failure in reading symbols for "%s".$[Symbols] Please refer to "https://github.com/valinet/ExplorerPatcher/wiki/Symbols" for more information.$[Symbols] Reading symbols...$[Symbols] Symbols for "%s" are not available - unable to download.$[Symbols] Unable to create registry key.$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI.dll$\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartUI_.dll
                                                                                                  • API String ID: 1213659724-3422473855
                                                                                                  • Opcode ID: 09fcb9d82f41ee2f3310ba133a493f16fa31f4de6f2d332b26b52c2ab1a2e9e2
                                                                                                  • Instruction ID: 4a1e316369421a5599ee96a2abb24f4e37be8de82ac2076505b30573904698e0
                                                                                                  • Opcode Fuzzy Hash: 09fcb9d82f41ee2f3310ba133a493f16fa31f4de6f2d332b26b52c2ab1a2e9e2
                                                                                                  • Instruction Fuzzy Hash: E1912331B18E8AD6EB20DFA4E8A43E92360FB94B54F404231D65E47AE5DF7CD689C740
                                                                                                  Function 00007FFD6565C200 Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 195windowprocessCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Path$Menu$Window$Foregroundwsprintf$CloseCreateExtensionHandleInsertPopupRemoveSpacesUnquote$CursorDestroyProcessShowStripTrack
                                                                                                  • String ID: "C:\Program Files\7-Zip\7zFM.exe" %s$"C:\Program Files\7-Zip\7zG.exe" x -o"%s" -spe %s$&Extract to "%s\"$&Open archive
                                                                                                  • API String ID: 369530117-1140292191
                                                                                                  • Opcode ID: 93874475ace18eb1cf65213562b3bc3a7745d5ecebc0d05dff543d959da77ce0
                                                                                                  • Instruction ID: 102b89f6a639a7c9f2e09e09978980aec7a797e3526996b311bd2a74db02aefd
                                                                                                  • Opcode Fuzzy Hash: 93874475ace18eb1cf65213562b3bc3a7745d5ecebc0d05dff543d959da77ce0
                                                                                                  • Instruction Fuzzy Hash: B7917D32B18E8AC5EB209BA1E8647ED2771FB85B98F804131DA5E07AA4DF3CD195C740
                                                                                                  Function 00007FFD6565B150 Relevance: 42.8, APIs: 20, Strings: 4, Instructions: 773COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Monitor$Window$From$Prop$ErrorLast$CreateFontIndirect$#334AttributeDirectoryFreeInfoSystemTask
                                                                                                  • String ID: Microsoft.Windows.ShellManagedWindowAsNormalWindow$Segoe UI$\rundll32.exe$valinet.ExplorerPatcher.ShellManagedWindow
                                                                                                  • API String ID: 3197630062-846598209
                                                                                                  • Opcode ID: 61a72c6c5e4e7b9bdc74e535ae390a072383054a70b169dddcfed75f182e1dfd
                                                                                                  • Instruction ID: 14030ed770a44efce71bc7c9a1de5fb42178aabb1dc5b96896f6b3c373f18e07
                                                                                                  • Opcode Fuzzy Hash: 61a72c6c5e4e7b9bdc74e535ae390a072383054a70b169dddcfed75f182e1dfd
                                                                                                  • Instruction Fuzzy Hash: A172A072B19B46CAEB51CF75D06876973A5FB85B88F158235EA0F93654EF38E480CB00
                                                                                                  Function 00007FFD6566FE40 Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 349COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Monitor$From$FindStringWindows$ActivationCloseCreateCursorDeleteDisplayEnumFactoryHandleInfoMonitorsMutexOpenPointRectReferenceShow
                                                                                                  • String ID: !@$EPStart10_AnimationsPatched_{A6EA9C2D-4982-4827-9204-0AC532959F6D}$Shell_SecondaryTrayWnd$Shell_TrayWnd$Windows.UI.Xaml.Window
                                                                                                  • API String ID: 3798604058-3529946197
                                                                                                  • Opcode ID: 6d5bf6db88b1762e8315eea215af2d78978069de4b08654467cf73516330815b
                                                                                                  • Instruction ID: 7ce048849eeb3c10f315cc20a18f2c31c7d7a70639ec9ac3c5fade7064256998
                                                                                                  • Opcode Fuzzy Hash: 6d5bf6db88b1762e8315eea215af2d78978069de4b08654467cf73516330815b
                                                                                                  • Instruction Fuzzy Hash: E5F12936F09A4BCAF720CBE5D8647AD37B1BB44B98F004135CE0957A98DE3DA995CB10
                                                                                                  Function 00007FFD6566CCB0 Relevance: 40.4, APIs: 15, Strings: 8, Instructions: 163sleepregistryprocessCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorEventLast$CloseHandle$ExecuteProcessShellSleepThreadValue
                                                                                                  • String ID: EP_Ev_InstallUpdates_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}$Software\ExplorerPatcher$UpdatePreferStaging$eplink://update$eplink://update/stable$eplink://update/staging$h$open
                                                                                                  • API String ID: 2028834884-198725195
                                                                                                  • Opcode ID: a274810f2dd4b0325282cfab0de87efade91e6e96364b1a32c500caf592512fb
                                                                                                  • Instruction ID: 071e2700ea490a150e8eccd3c375556edcd8ff78249c318862f68f78f0877b43
                                                                                                  • Opcode Fuzzy Hash: a274810f2dd4b0325282cfab0de87efade91e6e96364b1a32c500caf592512fb
                                                                                                  • Instruction Fuzzy Hash: F3715031B08F8AC2FB649F95E5603AA6360FF98B94F505135DA8E46AA4DF7CE1C1C701
                                                                                                  Function 00007FFD65690840 Relevance: 37.1, APIs: 16, Strings: 5, Instructions: 327windowregistryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Menu$PopupQueryValue$BindCreateDestroyDisplayFreeInsertItemNameParentParseTaskTrack
                                                                                                  • String ID: ::{2CC5CA98-6485-489A-920E-B3E88A6CCCE3}$InfoTip$P$Software\Classes\CLSID\{2cc5ca98-6485-489a-920e-b3e88a6ccce3}$c
                                                                                                  • API String ID: 3796425743-3612032762
                                                                                                  • Opcode ID: 01e19e4e1b1ea895e84e8702a983adbb03aaf9be2e572cba032b152f06b14b14
                                                                                                  • Instruction ID: 2ae29ecc6802de7924c47452ae033f73b6a8a762dd6a2126f2cef9244e942123
                                                                                                  • Opcode Fuzzy Hash: 01e19e4e1b1ea895e84e8702a983adbb03aaf9be2e572cba032b152f06b14b14
                                                                                                  • Instruction Fuzzy Hash: ACE16C32B08B56C6E7108FA5E8503A977B4FB99B68F104235EA8D47B98DF7DD184CB40
                                                                                                  Function 00007FFD65664270 Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 305threadwindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Thread$MessageMonitorPost$CriticalSectionWindow$EnterFindFromInfoLeave
                                                                                                  • String ID: SOFTWARE\Microsoft\Accessibility$Shell_TrayWnd$TextScaleFactor
                                                                                                  • API String ID: 2849209329-777505285
                                                                                                  • Opcode ID: 111ecb4b0944f52e029e530ec12786c88d09f85c8ae2ef7f3cebbaa856a1a13f
                                                                                                  • Instruction ID: 4b699e241d7e21e22d3407491be4809743b776c5b122d759b240c99f24c63e51
                                                                                                  • Opcode Fuzzy Hash: 111ecb4b0944f52e029e530ec12786c88d09f85c8ae2ef7f3cebbaa856a1a13f
                                                                                                  • Instruction Fuzzy Hash: E4F1493AB08A4ACAE7148FA1E8607A937A6FB89F49F104135CE4D57B54DF7DE494CB00
                                                                                                  Function 00007FFD65690540 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 137networkfilesleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Internet$CloseHandle$FileOpen$CreateDeleteDirectoryErrorExecuteFolderLastObjectPathReadShellSingleSleepWait_invalid_parameter_noinfo
                                                                                                  • String ID: @$ExplorerPatcher$\ExplorerPatcher$\MicrosoftEdgeWebview2Setup.exe$https://go.microsoft.com/fwlink/p/?LinkId=2124703$p
                                                                                                  • API String ID: 2895610840-1819798696
                                                                                                  • Opcode ID: fee8e3442e41825557668e320b8500766bb06b32796133866a629d19263ef6a7
                                                                                                  • Instruction ID: 6e688975ed9e7cdb5183b6a3cf3e67b3ca781b35d3c09a010ae92aa38a5c1067
                                                                                                  • Opcode Fuzzy Hash: fee8e3442e41825557668e320b8500766bb06b32796133866a629d19263ef6a7
                                                                                                  • Instruction Fuzzy Hash: 09617F32B18F86C6FB109BA0E8643A97371FB95B94F404235DA4D07A59DF3DD595CB00
                                                                                                  Function 00007FFD6565EF90 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 94windowsleepregistryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$HandleModuleWindow$ClassCreateCursorDestroyDispatchEventLoadObjectRegisterSleepStockTranslate
                                                                                                  • String ID: 0$FixTaskbarAutohide_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
                                                                                                  • API String ID: 2692392126-3745785993
                                                                                                  • Opcode ID: 372ee5a78053523f1f732c44edd9fd8a641ae2e0514952c61d0baf2847e36725
                                                                                                  • Instruction ID: a8b67487efd8a43416b1015e976536a369f6c9e1a838f5c7f09411a98c641538
                                                                                                  • Opcode Fuzzy Hash: 372ee5a78053523f1f732c44edd9fd8a641ae2e0514952c61d0baf2847e36725
                                                                                                  • Instruction Fuzzy Hash: DA411232B08F86C2EB649B64F86436AB3F5FB98B44F544135D68E46AA4DF7CD095CB00
                                                                                                  Function 00007FFD65687D80 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 244windowsleepregistryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Menu$HandleModule$ItemLoadWindow$BandClassCountCreateCursorForegroundInsertMessageObjectPopupRegisterRemoveSendSleepStockStringTrack
                                                                                                  • String ID: ExplorerFrame.dll$LauncherTipWnd
                                                                                                  • API String ID: 1231917228-1828045394
                                                                                                  • Opcode ID: a2ce811fbcbaa5abdfb05332ecdd07edec44e6b718b2e546fc625e4652fb423d
                                                                                                  • Instruction ID: fb5419b30e8695a32fc665722f32f0ed879d6e4efdd5da49352c93a29a52b457
                                                                                                  • Opcode Fuzzy Hash: a2ce811fbcbaa5abdfb05332ecdd07edec44e6b718b2e546fc625e4652fb423d
                                                                                                  • Instruction Fuzzy Hash: EDC11436B09B4ACAEB548FA5E8647A933A5FB48B88F104539DA4D47BA4CF3DD490C700
                                                                                                  Function 00007FFD6568E310 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 184librarymemorythreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Resource$Load$Free$InfoLibraryLocalLocaleQueryStringThreadValue$AllocCloseCreateFindFolderLanguagesLockPathPreferredSizeofSwitch_invalid_parameter_noinfo
                                                                                                  • String ID: <toast scenario="reminder" activationType="protocol" launch="%s" duration="%s"><visual><binding template="ToastGeneric">$\ExplorerPatcher\ep_gui.dll$short
                                                                                                  • API String ID: 2536480284-1480496686
                                                                                                  • Opcode ID: 87811b746d36d61cf86ced4364272ea2b398efece0665d3c22738b0e16dc0d31
                                                                                                  • Instruction ID: 67c0df1154d13dfa6e996d5a5d196a16ddaee0a19800aab8c4364c9668c92bbb
                                                                                                  • Opcode Fuzzy Hash: 87811b746d36d61cf86ced4364272ea2b398efece0665d3c22738b0e16dc0d31
                                                                                                  • Instruction Fuzzy Hash: C2817C62B18F8AC6EB14DF65D8103E96761FB98B88F449131DE4D17B65EF38D299C300
                                                                                                  Function 00007FFD65688820 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 179comwindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$FindMonitor$From$CreateCursorInfoInstanceMessagePointRectSend
                                                                                                  • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd$Start
                                                                                                  • API String ID: 3957573836-2175658619
                                                                                                  • Opcode ID: 7d5b0573b76e2f28007cb4b648ccba6ba01dc73f564d0536a8582c9ff69fe12d
                                                                                                  • Instruction ID: ac5db4a22f0c7d2a93478e67309f16060df72feb8f0b29e3a460fde828f6cc29
                                                                                                  • Opcode Fuzzy Hash: 7d5b0573b76e2f28007cb4b648ccba6ba01dc73f564d0536a8582c9ff69fe12d
                                                                                                  • Instruction Fuzzy Hash: AA812876B09E4ACAEB14DBA5E8247A923B1FB48F88B444475CD0E57B68CF38D589C350
                                                                                                  Function 00007FFD65662FD0 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 193registrylibrarysynchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Create$CloseObjectSingleWait$AddressCurrentFolderHandleInformationInstanceLibraryLoadModulePathProcProcessSleepThread_invalid_parameter_noinfo
                                                                                                  • String ID: Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$DllGetClassObject$SOFTWARE\Microsoft\Windows\CurrentVersion\ImmersiveShell$UseWin32BatteryFlyout$\ExplorerPatcher\pnidui.dll
                                                                                                  • API String ID: 1967696875-3120677660
                                                                                                  • Opcode ID: e2d5b28068aa931c6fb9c5cbf57efc894ed3ba83578ae93960a9428d6e2c18b7
                                                                                                  • Instruction ID: f64532bd4e5373b195c25ee46c8e0cd1d0bc0675802966be111845a60bfbb87c
                                                                                                  • Opcode Fuzzy Hash: e2d5b28068aa931c6fb9c5cbf57efc894ed3ba83578ae93960a9428d6e2c18b7
                                                                                                  • Instruction Fuzzy Hash: 2F913636F48E4AC2EB509B95E8A03AA77A1BB84F94F404136D94D476A4DF7CE4C5C740
                                                                                                  Function 00007FFD6568E070 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 144registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue$CloseCreate_invalid_parameter_noinfo
                                                                                                  • String ID: /download/$Software\ExplorerPatcher$UpdatePreferStaging$UpdateTimeout$UpdateURL$UpdateURLStaging$[Updates] Update URL: %s$ep_setup.exe$https://api.github.com/repos/valinet/ExplorerPatcher/releases?per_page=1$https://github.com/valinet/ExplorerPatcher/releases/latest
                                                                                                  • API String ID: 2821414459-3346571005
                                                                                                  • Opcode ID: da3e1e35e89e51ba0aa011a3f5a3193dc25c751d9a6c9f66f81cca83597fd921
                                                                                                  • Instruction ID: af8d1d4b2515c617c1d30152d8454d339843afdc36268af71f4b30f1e1c0ecf8
                                                                                                  • Opcode Fuzzy Hash: da3e1e35e89e51ba0aa011a3f5a3193dc25c751d9a6c9f66f81cca83597fd921
                                                                                                  • Instruction Fuzzy Hash: B3712E72B18A56C6F7209FA4E85079A77B4FB84754F900236DA8D13A68DF3CD196CF00
                                                                                                  Function 00007FFD6565BFA0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 124windowsleepcomCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$HandleModule$ClassCreateCursorDispatchInitializeInstanceLoadObjectRegisterShowSleepStockTranslateWindow
                                                                                                  • String ID: ArchiveMenuWindowExplorer$Ended "Archive menu" thread.$Started "Archive menu" thread.
                                                                                                  • API String ID: 3032281874-998171920
                                                                                                  • Opcode ID: 70339f58fbc0c70cc0f0744e9ce5df35354568a971adf771224467d8c194659b
                                                                                                  • Instruction ID: fa73db5358d57cad4d535dbcbf96628bfae82a607d3d07478fb30115cce8cd98
                                                                                                  • Opcode Fuzzy Hash: 70339f58fbc0c70cc0f0744e9ce5df35354568a971adf771224467d8c194659b
                                                                                                  • Instruction Fuzzy Hash: 7251EE32B18E9AC2EB649F65F46476A73B4FB88F44F504136DA8E46A64DF3CD095CB00
                                                                                                  Function 00007FFD656522F0 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 297COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: SHRegGetValueFromHKCUHKLM$Shlwapi.dll
                                                                                                  • API String ID: 0-2208286396
                                                                                                  • Opcode ID: 0b5de79a467dac8f40d44af8b3737f2a2da819ca8f7e7a7630e8c8b0690718a1
                                                                                                  • Instruction ID: 6dc7df3d604067cabff7b304eaecc75eb2346ffa1cded0f009a4d42c80980398
                                                                                                  • Opcode Fuzzy Hash: 0b5de79a467dac8f40d44af8b3737f2a2da819ca8f7e7a7630e8c8b0690718a1
                                                                                                  • Instruction Fuzzy Hash: DAC15021B58F4A82EB619BB5E87077A62E5AF54B94F005234DA8F87795EF3CE4C1C340
                                                                                                  Function 00007FFD656B5C8C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                  • API String ID: 808467561-2761157908
                                                                                                  • Opcode ID: f350830a4adcc410153501d9ca6c2ab6903c9060955658178a02212302773db1
                                                                                                  • Instruction ID: e62cd4543a451a858e50f6542b8fa41ba0e36fc219860e8207b35d0a6d1793eb
                                                                                                  • Opcode Fuzzy Hash: f350830a4adcc410153501d9ca6c2ab6903c9060955658178a02212302773db1
                                                                                                  • Instruction Fuzzy Hash: 7AB2E472B18A9ACBEB648FA4D4607FD37A1FB54B88F405135DA0D57A84DF38E990CB40
                                                                                                  Function 00007FFD6565E230 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Find$InvalidateRect$MessagePost
                                                                                                  • String ID: !@$Shell_SecondaryTrayWnd$Shell_TrayWnd$Start
                                                                                                  • API String ID: 492091407-2979015546
                                                                                                  • Opcode ID: 1f5712035e56aa1ba704b5cd63abf861ae1254b0da2d5933e247a04c8a3ddc34
                                                                                                  • Instruction ID: bcbe9aa34d161ef0aacefd7791865806fc13ee70c74911a1f2604d6d51f0b808
                                                                                                  • Opcode Fuzzy Hash: 1f5712035e56aa1ba704b5cd63abf861ae1254b0da2d5933e247a04c8a3ddc34
                                                                                                  • Instruction Fuzzy Hash: 06318F71F08A4AC2FB64DBA2F828B66A6A1AF89F94F485035DD0E47B54DF7CD085C700
                                                                                                  Function 00007FFD6565DCF0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Process$CloseHandleProcess32$CreateDirectoryFirstFullImageNameNextOpenQuerySnapshotTerminateToolhelp32Windows_invalid_parameter_noinfo
                                                                                                  • String ID: ShellExperienceHost.exe$\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                                                                                                  • API String ID: 2097983625-1597348990
                                                                                                  • Opcode ID: 7a2044ba403adc5f9672b0f5d5dc5f399b81ca774859eaf41cb4f37d0cc271ea
                                                                                                  • Instruction ID: 94861325e5aa6bcef1bced292eb5fb2969920ba6e3c2fc7e52d4a640a8216ac6
                                                                                                  • Opcode Fuzzy Hash: 7a2044ba403adc5f9672b0f5d5dc5f399b81ca774859eaf41cb4f37d0cc271ea
                                                                                                  • Instruction Fuzzy Hash: B5415B61B08E8AC1EB64AB55E4643BA63B1FBD8F44F844031C68E47698DF3DD695CB40
                                                                                                  Function 00007FFD6565E100 Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ShellExecuteW.SHELL32 ref: 00007FFD6565E1FF
                                                                                                    • Part of subcall function 00007FFD65672270: CoCreateInstance.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6565E130), ref: 00007FFD656722BE
                                                                                                    • Part of subcall function 00007FFD65672270: IUnknown_QueryService.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6565E130), ref: 00007FFD656722F1
                                                                                                    • Part of subcall function 00007FFD65672270: WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6565E130), ref: 00007FFD65672364
                                                                                                    • Part of subcall function 00007FFD65672270: WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6565E130), ref: 00007FFD65672428
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateStringWindows$DeleteExecuteInstanceQueryReferenceServiceShellUnknown_
                                                                                                  • String ID: ShowVAN$ms-availablenetworks:$ms-settings:network$open$shell:::{7007ACC7-3202-11D1-AAD2-00805FC1270E}$shell:::{8E908FC9-BECC-40f6-915B-F4CA0E70D03D}$van.dll
                                                                                                  • API String ID: 3979293583-2514944852
                                                                                                  • Opcode ID: 5c0a15b2daf2f68f49b6a66377e76e43853cb7513cf962a208d90d46eeec7387
                                                                                                  • Instruction ID: d57b8a7a0e6585d4117a9bdfac76b7e40b8d23b41e3666ccdabbbe834f3b7ff2
                                                                                                  • Opcode Fuzzy Hash: 5c0a15b2daf2f68f49b6a66377e76e43853cb7513cf962a208d90d46eeec7387
                                                                                                  • Instruction Fuzzy Hash: AE313E35F48E8BC1FE64AB91E4713B92261BF99F54F90107ADA4F06A51DF2CE9C5C600
                                                                                                  Function 00007FFD656520D0 Relevance: 16.6, APIs: 11, Instructions: 131registrywindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$ErrorLastMessage$ChangeNotifyQuery$DispatchMultipleObjectsPeekTranslateWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 2018483580-0
                                                                                                  • Opcode ID: 5185161d40e1e17cfffb2643026126e677c47f68272f6029feedd4a4c525977b
                                                                                                  • Instruction ID: 5f69ceb4254749186dcd8b1f8b74dba22acdaf3a522d85a254e05c8e21fd6583
                                                                                                  • Opcode Fuzzy Hash: 5185161d40e1e17cfffb2643026126e677c47f68272f6029feedd4a4c525977b
                                                                                                  • Instruction Fuzzy Hash: 53515D35B58E4AC2EB609FB5D86477A23A0FB89F88F404135DA8E876A4DF3CD484C750
                                                                                                  Function 00007FFD656893F0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comserviceCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateInstanceQueryServiceUnknown_
                                                                                                  • String ID: IsAutoHideEnabled$Shell_TrayWnd$TwinUIPatches.cpp
                                                                                                  • API String ID: 2021386587-823477751
                                                                                                  • Opcode ID: 2bd0394afbf3bb1deff56073b6b30e43571c1df2e6e5d789b496d091398be570
                                                                                                  • Instruction ID: 183eabdb026e8121ebb8b95997a98bdea6db5ac51cc65d31115ddf3205180e9f
                                                                                                  • Opcode Fuzzy Hash: 2bd0394afbf3bb1deff56073b6b30e43571c1df2e6e5d789b496d091398be570
                                                                                                  • Instruction Fuzzy Hash: 1C91F426B09F5AC5EB118BA5D8A07A927B0BB58F98F544132CE0E97B54DF38D4C9C310
                                                                                                  Function 00007FFD6565A4E0 Relevance: 15.7, APIs: 10, Instructions: 742COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Thumbnail$QuerySizeSource$Unregister$Register$PropertiesUpdate
                                                                                                  • String ID:
                                                                                                  • API String ID: 3108602342-0
                                                                                                  • Opcode ID: f18ce4ecb7d5584a72fe5b3af655532a1fc6869fdc1c023dbaf405e095f5fe85
                                                                                                  • Instruction ID: f8249af950833a8c05430be1b2964a9a4b65b37c3f4a1e541e351309a3bcc2c6
                                                                                                  • Opcode Fuzzy Hash: f18ce4ecb7d5584a72fe5b3af655532a1fc6869fdc1c023dbaf405e095f5fe85
                                                                                                  • Instruction Fuzzy Hash: 7572BF32B18A45CBD769CF79D250B6DB7A1FB54B85F108225EB4A53B44DB38F8A1CB00
                                                                                                  Function 00007FFD656AB308 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                  • String ID:
                                                                                                  • API String ID: 1617910340-0
                                                                                                  • Opcode ID: 8a24f21186d3076e97c719e6723c893b26f1c3773e47fc18d1fd71f9efe3f4bd
                                                                                                  • Instruction ID: 815307c2e2658f088880dac14d111425e9b4183c2aa16ee83ac23ae5bf582e2f
                                                                                                  • Opcode Fuzzy Hash: 8a24f21186d3076e97c719e6723c893b26f1c3773e47fc18d1fd71f9efe3f4bd
                                                                                                  • Instruction Fuzzy Hash: 13C1B036B28E49C5EB10CFA5D4A02AC37B1FB49F98B011235DA1E9B3A5CF39D495C740
                                                                                                  Function 00007FFD65663DA0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 50windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FindWindow$MessageSend
                                                                                                  • String ID: MSTaskSwWClass$RebarWindow32$Shell_TrayWnd
                                                                                                  • API String ID: 1134572027-589293716
                                                                                                  • Opcode ID: f85175f125cf8e8b66d54df70546532ba3cac7d82357f4b638c5a70c5f5e0bf6
                                                                                                  • Instruction ID: 65cd55561b3a10e51a81877665fc792ee95bb180b580ddd6af2f338622d3626f
                                                                                                  • Opcode Fuzzy Hash: f85175f125cf8e8b66d54df70546532ba3cac7d82357f4b638c5a70c5f5e0bf6
                                                                                                  • Instruction Fuzzy Hash: 85116D62F08F4AD1EB649BA2F62077523A1AF98FA0F584636D91D17A94DE3CE480C311
                                                                                                  Function 00007FFD6566C590 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: HandleModuleProtectVirtual$DataDirectoryEntryFreeImageLibrary
                                                                                                  • String ID: IsOS$api-ms-win-shcore-sysinfo-l1-1-0.dll
                                                                                                  • API String ID: 2091478098-2234916554
                                                                                                  • Opcode ID: e98dbb5fea8f3cad26d962c9c131c634824320574ccc615d19d2902921557c52
                                                                                                  • Instruction ID: 9f22b998aceca6d9415b0bdb875bdf6354bce95f401ee1c5e84b35e3e49969e2
                                                                                                  • Opcode Fuzzy Hash: e98dbb5fea8f3cad26d962c9c131c634824320574ccc615d19d2902921557c52
                                                                                                  • Instruction Fuzzy Hash: D731CF61F98E4E83FF509BA9D4203792360AB95B84F502036EE8E4B755DE3CE4C1CB15
                                                                                                  Function 00007FFD65681100 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                                                                                  • String ID: StartMenuSettings.cpp
                                                                                                  • API String ID: 4268342597-657291044
                                                                                                  • Opcode ID: 6d8b8fe23441a23184f810657323b9a692593ad32fad85dc3e2652344cdbfed2
                                                                                                  • Instruction ID: 81ae4431103dfbf347daaa249805349aa303b29d033d82bd570c2a325280bf66
                                                                                                  • Opcode Fuzzy Hash: 6d8b8fe23441a23184f810657323b9a692593ad32fad85dc3e2652344cdbfed2
                                                                                                  • Instruction Fuzzy Hash: A6716122F19B8AC6EB74DFA4E4603A967E1FB44B48F041575D99D42AA4DF3CE5C0C710
                                                                                                  Function 00007FFD6565F4C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22windowtimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FindMessageSendTimeoutWindow
                                                                                                  • String ID: EnsureXAML$Shell_TrayWnd
                                                                                                  • API String ID: 268879178-954582075
                                                                                                  • Opcode ID: bc3035862facb520a34d482c511542335a9f8f46059ef51329d527d37712b2b1
                                                                                                  • Instruction ID: eaef6beda1b075371b5884b405df8e4db2b4cb5a1d1887263e0f81da0f67dbf7
                                                                                                  • Opcode Fuzzy Hash: bc3035862facb520a34d482c511542335a9f8f46059ef51329d527d37712b2b1
                                                                                                  • Instruction Fuzzy Hash: 47F08276B18E45C2E7048F51E8143656261FB88BD4F488030D94E06B54CF7CC185CB00
                                                                                                  Function 00007FFD656B57F0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcpy_s
                                                                                                  • String ID:
                                                                                                  • API String ID: 1502251526-0
                                                                                                  • Opcode ID: 54df691b28dde9a3de2a0b1b7d4322a8dab56d24a2e0dd98c6a87ab6e9c6fd8f
                                                                                                  • Instruction ID: 53c3a9d20885043fc1b0603931df31c1e95c93317571104374113886a75eff72
                                                                                                  • Opcode Fuzzy Hash: 54df691b28dde9a3de2a0b1b7d4322a8dab56d24a2e0dd98c6a87ab6e9c6fd8f
                                                                                                  • Instruction Fuzzy Hash: 83C11672B19A89C7DB24CF59E0547AAB791F794B84F448139DB4E43744EB3DE850CB00
                                                                                                  Function 00007FFD6567A7B0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000000,00007FFD6567B0AF,?,?,?,?,?,00000000,?,00007FFD6567B8AB), ref: 00007FFD6567A7D3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: HeapProcess
                                                                                                  • String ID: length
                                                                                                  • API String ID: 54951025-25009842
                                                                                                  • Opcode ID: 6497c20ab327c247e3391e124cd2222a9c7f014157bb9895d514ed880f26a4c3
                                                                                                  • Instruction ID: 3145935a1d620bac0318be7ed8448fbd13206a8ee555cb7652bf091790fd8031
                                                                                                  • Opcode Fuzzy Hash: 6497c20ab327c247e3391e124cd2222a9c7f014157bb9895d514ed880f26a4c3
                                                                                                  • Instruction Fuzzy Hash: 41314A62B08E4AC1EA509F99E4A036873A0FB94F40F948A36D64C477B5DF7CE9C2C700
                                                                                                  Function 00007FFD656AED14 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: e+000$gfff
                                                                                                  • API String ID: 0-3030954782
                                                                                                  • Opcode ID: 401ca3d791ec56ee7fb3f1ebf025869707402de53eaa05fa8685b2422944ba93
                                                                                                  • Instruction ID: eae06edd3238b8510a1eee55535581c2cb51df9193a8e9f6bcd6bcd21dd88155
                                                                                                  • Opcode Fuzzy Hash: 401ca3d791ec56ee7fb3f1ebf025869707402de53eaa05fa8685b2422944ba93
                                                                                                  • Instruction Fuzzy Hash: 89514936B18ACAC6E7248A75D8607697B91F744F94F488231CB6847BD6CF3ED880C700
                                                                                                  Function 00007FFD6566A5A0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: BindObject
                                                                                                  • String ID:
                                                                                                  • API String ID: 761158930-0
                                                                                                  • Opcode ID: c0904f1775784fbdffb0825d8212574418776d9953f8ca2ed613c08eb1ad7e77
                                                                                                  • Instruction ID: 76993e1ee2df9ae5f4e207cb775f5d4f12754005f66d841c8c18fa4533f031c4
                                                                                                  • Opcode Fuzzy Hash: c0904f1775784fbdffb0825d8212574418776d9953f8ca2ed613c08eb1ad7e77
                                                                                                  • Instruction Fuzzy Hash: C5C01225F14E95C2DB149F58F81169533B0FB44708FE00136D68D05630CF3CC266CA04
                                                                                                  Function 00007FFD656A1FDC Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID: 0-3916222277
                                                                                                  • Opcode ID: ef908d49defdeecee50d3da7e537f4c07f43aba96ae6a3cb168878c6caae1050
                                                                                                  • Instruction ID: 8d3eceda8e7b2e20755e30e05c883ccf257ad6d069627e17433a8241269cfdfc
                                                                                                  • Opcode Fuzzy Hash: ef908d49defdeecee50d3da7e537f4c07f43aba96ae6a3cb168878c6caae1050
                                                                                                  • Instruction Fuzzy Hash: 11B13C72B48A8AC5E7648FAAC8A036D3BA0EB45F48F144135DF4E47399DF2AD881C754
                                                                                                  Function 00007FFD656A2374 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID: 0-3916222277
                                                                                                  • Opcode ID: a95da338390158b58e8d7dac47523ee0e7d0ae6289380b73c11d4f7196d0344f
                                                                                                  • Instruction ID: 18d5a96a190344eb9e2b5c11e04e496f9dc3806151b5c05c691e236e71f95f8e
                                                                                                  • Opcode Fuzzy Hash: a95da338390158b58e8d7dac47523ee0e7d0ae6289380b73c11d4f7196d0344f
                                                                                                  • Instruction Fuzzy Hash: E8B17E72A49A49C6E7658F6AC8B037C3BA1FB49F48F645135CA8E47395DF2AD4C1C700
                                                                                                  Function 00007FFD656A46C0 Relevance: .4, Instructions: 374COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5fe1221e2acf0ae6bf989f2213628dd87e3d5c1a39ea450b01547ba6e59fff52
                                                                                                  • Instruction ID: 16c7844ca3dc4b572692a5a2a80b31b2164c06d55db8f12c59b3a9cdb9326179
                                                                                                  • Opcode Fuzzy Hash: 5fe1221e2acf0ae6bf989f2213628dd87e3d5c1a39ea450b01547ba6e59fff52
                                                                                                  • Instruction Fuzzy Hash: C5E1A136B08A8AC2EB69CAA5C96033977A1FF45F45F154135CA8D072D9DFBBE891C301
                                                                                                  Function 00007FFD65696530 Relevance: .3, Instructions: 337COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5928575681f851bd86756db403d3da97f1196c8ac83e938697ac036f80151180
                                                                                                  • Instruction ID: cb43a6c835cea9bcbdaacb1e7060e59bb88911d138a75092b856db4d0906f76c
                                                                                                  • Opcode Fuzzy Hash: 5928575681f851bd86756db403d3da97f1196c8ac83e938697ac036f80151180
                                                                                                  • Instruction Fuzzy Hash: 12E1BF72B08B9BC5FA648B80D57477933A5EB22F94F648136D64E066E4DF2CE4C5C382
                                                                                                  Function 00007FFD656A42BC Relevance: .3, Instructions: 327COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 84f7174f98fb35701058a949fccd1a4d76a0ccdf40606d0849c3fbccb9b37b8f
                                                                                                  • Instruction ID: e34a7d29cdc26e76901187ad37e06b94863a6253e14d970af5a79a41640bb6a1
                                                                                                  • Opcode Fuzzy Hash: 84f7174f98fb35701058a949fccd1a4d76a0ccdf40606d0849c3fbccb9b37b8f
                                                                                                  • Instruction Fuzzy Hash: D9D1AF32B08A4AC5EB688EA9C86037D37A0EB45F49F145235CE8D07695DFBEE8D1C340
                                                                                                  Function 00007FFD656A26F8 Relevance: .2, Instructions: 241COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1188edb522b859df7e5dcf667770e6cd2adaf91aa135349a904e24ff44a07b20
                                                                                                  • Instruction ID: 8d0b5eb5189b50be394e32509f6b41d248480592e20813cdf30d616245d84057
                                                                                                  • Opcode Fuzzy Hash: 1188edb522b859df7e5dcf667770e6cd2adaf91aa135349a904e24ff44a07b20
                                                                                                  • Instruction Fuzzy Hash: FAB17D72A48B89C9E7658F6AC86033C3BA0E749F48F640136DA4E47399CF3AE491C754
                                                                                                  Function 00007FFD656AF394 Relevance: .2, Instructions: 198COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: be47964fcc4595da42470565f4ee94a9284566997e825a65d0fd1335d8fc76c3
                                                                                                  • Instruction ID: 8c5dd034515338b269671e1f9235b7580fd8999c7ffd7ff72edf2c799e09030c
                                                                                                  • Opcode Fuzzy Hash: be47964fcc4595da42470565f4ee94a9284566997e825a65d0fd1335d8fc76c3
                                                                                                  • Instruction Fuzzy Hash: 7781D476B08B8586E774CFA5E4A0379B691FB85B94F104235DA9D43B96CE3ED480CB01
                                                                                                  Function 00007FFD656AAC6C Relevance: .2, Instructions: 183COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 3215553584-0
                                                                                                  • Opcode ID: 87826663fb88d95eb3373e8dcf29249e2651c96390ffb61b889701d1ece7043f
                                                                                                  • Instruction ID: d1530476f28a181d58589552f1b089c15d45d7ab6ecf2cd92f9a38ce4509f0b7
                                                                                                  • Opcode Fuzzy Hash: 87826663fb88d95eb3373e8dcf29249e2651c96390ffb61b889701d1ece7043f
                                                                                                  • Instruction Fuzzy Hash: 7561F832F0CA9AC6FB6599A8C4743797681BF40F60F14463AD65D466C6DE3FE880C700
                                                                                                  Function 00007FFD656A03D0 Relevance: .2, Instructions: 157COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fae3d71a0409ac533e92ee5e8c56820f1abf5f494794e29cc2365857733816a9
                                                                                                  • Instruction ID: 0466d169fadcf08b13fe74f70aababbf57b9b8cd7489bfbeeb67db833049380d
                                                                                                  • Opcode Fuzzy Hash: fae3d71a0409ac533e92ee5e8c56820f1abf5f494794e29cc2365857733816a9
                                                                                                  • Instruction Fuzzy Hash: F7518372B28A5AC6E7608EA8D1247B87390FB15F68F144235EA4D466D5CF3FE8C2C701
                                                                                                  Function 00007FFD656A0808 Relevance: .1, Instructions: 146COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 32a39131b1ea9c855f919021bf4e12638fc87ba38f04dc641b8aacd00c666a4f
                                                                                                  • Instruction ID: 152abdbd078d3ee356d54d8d1d38773df7934085d36749a029b7a579f5c8dcfe
                                                                                                  • Opcode Fuzzy Hash: 32a39131b1ea9c855f919021bf4e12638fc87ba38f04dc641b8aacd00c666a4f
                                                                                                  • Instruction Fuzzy Hash: 70518036B18A59C6FB648B69C06033937A0EB44F78F245231CE4D177A5DB3BE892C784
                                                                                                  Function 00007FFD656A01C4 Relevance: .1, Instructions: 146COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7a7a51e5dbc6814b69a1f5516beb431e2955e309f392fad738cca70c3e99af50
                                                                                                  • Instruction ID: 2c881f500fb53ab8faa7ee26eaf04c82b7bc86d707869a90735425e1384b95d8
                                                                                                  • Opcode Fuzzy Hash: 7a7a51e5dbc6814b69a1f5516beb431e2955e309f392fad738cca70c3e99af50
                                                                                                  • Instruction Fuzzy Hash: 76514036B18F5AC6E7748BA9C06432837A0EB59F68F244131CE4D577A5DB3BE892C740
                                                                                                  Function 00007FFD656A0E4C Relevance: .1, Instructions: 146COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 45cfc8f3d66b23b604d29949c39df706330583ea5add7a420aff299b0c38cec5
                                                                                                  • Instruction ID: 3e6745813dd285947934ba07f464bcfff1ff6ead7c7dbda71ff9d7f6bfe134ae
                                                                                                  • Opcode Fuzzy Hash: 45cfc8f3d66b23b604d29949c39df706330583ea5add7a420aff299b0c38cec5
                                                                                                  • Instruction Fuzzy Hash: 66514F76B18A59C6E7248B69C06033837A0EB45F68F288131DE4D57795CF3BE993D780
                                                                                                  Function 00007FFD656A0604 Relevance: .1, Instructions: 145COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 16617ee0fc7f8c144c525315531aa15f76cd011324c60239c481cbad41e7e036
                                                                                                  • Instruction ID: e8d52f83a81ea4cb3673fc80ff5ffc550273d7110a9db984964569ee1e1a37ee
                                                                                                  • Opcode Fuzzy Hash: 16617ee0fc7f8c144c525315531aa15f76cd011324c60239c481cbad41e7e036
                                                                                                  • Instruction Fuzzy Hash: 23518336B18A5AC6E7258B69C06432837A0EB95F6CF245131CA4D17795CF3BE8C2CB80
                                                                                                  Function 00007FFD6569FFC0 Relevance: .1, Instructions: 145COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 51aaf4873c05abffa460ff0bd214f66616c7fce314d1f5b4d1403479c50517f3
                                                                                                  • Instruction ID: 3b2db11277762600e66458fbeb9f661107338e256f24f1170d8d74f686b4f1ce
                                                                                                  • Opcode Fuzzy Hash: 51aaf4873c05abffa460ff0bd214f66616c7fce314d1f5b4d1403479c50517f3
                                                                                                  • Instruction Fuzzy Hash: 7F518036B18A59C6E7648BA9C06076877A0EB49FA8F244131CE4C57799DB3BECD3C740
                                                                                                  Function 00007FFD6569F124 Relevance: .1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 02b7a2496c7568684aa243f87f5578d0fba0b47c0b8864685c6256374f78d05f
                                                                                                  • Instruction ID: 23672ab249159122d095e2afbd0b482d1c2c025fa3f4e9ac1e45206c77a49527
                                                                                                  • Opcode Fuzzy Hash: 02b7a2496c7568684aa243f87f5578d0fba0b47c0b8864685c6256374f78d05f
                                                                                                  • Instruction Fuzzy Hash: DB319E72608A4AC5EB258FA9E4503ADB7A0F799F48F254135DB8C4B764DF3AC092CB04
                                                                                                  Function 00007FFD6569F448 Relevance: .1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 18b6748ca6a6a0d51e118e82d35fb9f5821d58e468e74478334e5de39f486265
                                                                                                  • Instruction ID: fac577dd8c7ae3f5eb01d34aa35c0b9027220359bd0cb38efa0da59b263854d4
                                                                                                  • Opcode Fuzzy Hash: 18b6748ca6a6a0d51e118e82d35fb9f5821d58e468e74478334e5de39f486265
                                                                                                  • Instruction Fuzzy Hash: 363180B2608A86C5EB618F69E0507BD77A0E769F4CF254135DB4C4B761DB3AD092C704
                                                                                                  Function 00007FFD6569F33C Relevance: .1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a4b32a0ec8867fd1847959522346067af6a5e452e3e1d64f74d91d8c4bfa1493
                                                                                                  • Instruction ID: 8f0b8d469bec27b28657ade1fb2e4c32be1da743977917271e23c5e744f2cac3
                                                                                                  • Opcode Fuzzy Hash: a4b32a0ec8867fd1847959522346067af6a5e452e3e1d64f74d91d8c4bfa1493
                                                                                                  • Instruction Fuzzy Hash: 7631A172608A4AC6EB218F69E05036DB7A0F799F5CF658135DB8D4B751DF3AC092C700
                                                                                                  Function 00007FFD6569EE04 Relevance: .1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2dd18c2af8978401385c3a4d18cc3c4cea6f6c2de30805c37561c0fbe2471736
                                                                                                  • Instruction ID: 9e1360dc81efb3a754fede899d6a263c94877e27faff61bcf9cdd5fa39450182
                                                                                                  • Opcode Fuzzy Hash: 2dd18c2af8978401385c3a4d18cc3c4cea6f6c2de30805c37561c0fbe2471736
                                                                                                  • Instruction Fuzzy Hash: E5318D72608A8AC5EB608F69E0507BD77A0F799F48F24413ADB8C0B761DF3AD492C704
                                                                                                  Function 00007FFD6569ECF8 Relevance: .1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a81995dc725e745c91ef68e5add537126b3069e5817d0a70891599fc14a6951d
                                                                                                  • Instruction ID: 338bc3017f227444e4f903f356cee9b6c20e2a0ba92b3846c2b66ef352a56e0b
                                                                                                  • Opcode Fuzzy Hash: a81995dc725e745c91ef68e5add537126b3069e5817d0a70891599fc14a6951d
                                                                                                  • Instruction Fuzzy Hash: 3F31AB72608A9AC6EB208F68E0907BD77A0FB99F48F244135DB8C0B751DF3AD496C700
                                                                                                  Function 00007FFD6569F230 Relevance: .1, Instructions: 70COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a7f92cb70fea3df8bd33801a1eb83861a0d0286d040c3fca20cc0efed571b635
                                                                                                  • Instruction ID: fd2d5d275e1d03603ad1bbb5573144fb0eee08f6347a2ed274c8c1798b30dbab
                                                                                                  • Opcode Fuzzy Hash: a7f92cb70fea3df8bd33801a1eb83861a0d0286d040c3fca20cc0efed571b635
                                                                                                  • Instruction Fuzzy Hash: 7B31B572708A8AC5EB218FA9E0503ADB7A0FB99F48F654136DB4D4B750DF3AC092D704
                                                                                                  Function 00007FFD65653170 Relevance: 82.7, APIs: 29, Strings: 18, Instructions: 413COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Comctl32.dll$CreateWindowInBand$GetWindowBand$GhostWindowFromHungWindow$HungWindowFromGhostWindow$InternalGetWindowIcon$InternalGetWindowText$IsTopLevelWindow$LoadIconWithScaleDown$NtUserBuildHwndList$SHRegGetValueFromHKCUHKLM$SetWindowBand$SetWindowCompositionAttribute$Shlwapi.dll$shcore.dll$user32.dll$uxtheme.dll$win32u.dll
                                                                                                  • API String ID: 0-385217830
                                                                                                  • Opcode ID: 25e798a4944bcea0312062ca384872f833437a7808f1a2f5a8d42d04deea5800
                                                                                                  • Instruction ID: b5d59390ef75c25f0d38c024c40e6b02a27183187a957c59f783e2fed13115c9
                                                                                                  • Opcode Fuzzy Hash: 25e798a4944bcea0312062ca384872f833437a7808f1a2f5a8d42d04deea5800
                                                                                                  • Instruction Fuzzy Hash: 4222C228F59F0BC1FA569FD5E87437522A2AF58F48F401539D84E463A5EF7CA8C8C610
                                                                                                  Function 00007FFD656596F0 Relevance: 64.9, APIs: 36, Strings: 1, Instructions: 195synchronizationwindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}, xrefs: 00007FFD6565990C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$FreeLibrary$Object$Delete$DestroyEvent$SingleUninitializeWaitWindow$#386BufferedClassDataGdiplusIconInitModulePaintShutdownThemeUnhookUnregister
                                                                                                  • String ID: SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}
                                                                                                  • API String ID: 4090220598-648101266
                                                                                                  • Opcode ID: 3c5d39104d5d3aea03be413ea6a8cf5c4adf7188b00f61d9ca0ff57171f53492
                                                                                                  • Instruction ID: 0eb0d82fb8259a3a991bc2dea7f84b4a23cf088a3d6db2ea39240a1428d03946
                                                                                                  • Opcode Fuzzy Hash: 3c5d39104d5d3aea03be413ea6a8cf5c4adf7188b00f61d9ca0ff57171f53492
                                                                                                  • Instruction Fuzzy Hash: 78B1C226B19E4AC2EB549FA1E9643B83371FF84F98F045236DA4E46664DF2CA4E5C310
                                                                                                  Function 00007FFD656691F0 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 260COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Color$BitsStretchText$Object$DrawFromModeMonitorSelectWindow$BackgroundCreateDeleteFontIndirectInfoParametersSystemTheme
                                                                                                  • String ID: $%
                                                                                                  • API String ID: 4081638245-2111875603
                                                                                                  • Opcode ID: 06fb5e0f0b6666fe3b6ada0d3da665306d03e5dd35c31020688907680a487f78
                                                                                                  • Instruction ID: 3de3552d3142e3f05f96f17ff716d5e7b2354c4f368fc4f078b4d3a7dec7d8c5
                                                                                                  • Opcode Fuzzy Hash: 06fb5e0f0b6666fe3b6ada0d3da665306d03e5dd35c31020688907680a487f78
                                                                                                  • Instruction Fuzzy Hash: B9C18272B18A85CBEB14CF65E45866ABBB4FB88B98F104235DE4957B24CF3CD495CB00
                                                                                                  Function 00007FFD65651210 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 137threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentFromModuleProcessStackWalk64$AddrAddr64Base64CaptureCleanupCloseContextFileHandleInitializeLineNameOpenOptionsThread
                                                                                                  • String ID: %d in file "%s"$%s:$($[%3d] = [0x%p] ::
                                                                                                  • API String ID: 4210550807-1010961775
                                                                                                  • Opcode ID: 050fa87e029da15b90b38ee6014b47e1fba6518c91da2482904251519c129672
                                                                                                  • Instruction ID: b96f859555ea46237e651eb3d09d581925361e73c76ab79493a170dc00c0ce9b
                                                                                                  • Opcode Fuzzy Hash: 050fa87e029da15b90b38ee6014b47e1fba6518c91da2482904251519c129672
                                                                                                  • Instruction Fuzzy Hash: 3361D632B08B8AC5EB209FA1E8643A937B5FB49B88F444135DA8D57B58DF38D195CB40
                                                                                                  Function 00007FFD6565F2B0 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 126COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • [EnsureXAML] RoGetActivationFactory(IXamlApplicationStatics) failed. 0x%lX, xrefs: 00007FFD6565F364
                                                                                                  • Windows.Internal.Shell.XamlExplorerHost.XamlApplication, xrefs: 00007FFD6565F305
                                                                                                  • [EnsureXAML] ICoreWindow5::get_DispatcherQueue() failed. 0x%lX, xrefs: 00007FFD6565F42B
                                                                                                  • [EnsureXAML] RoGetActivationFactory(ICoreWindow5) failed. 0x%lX, xrefs: 00007FFD6565F400
                                                                                                  • [EnsureXAML] IXamlApplicationStatics::get_Current() failed. 0x%lX, xrefs: 00007FFD6565F391
                                                                                                  • [EnsureXAML] WindowsCreateStringReference(XamlApplication) failed. 0x%lX, xrefs: 00007FFD6565F31B
                                                                                                  • Windows.UI.Xaml.Hosting.WindowsXamlManager, xrefs: 00007FFD6565F3BD
                                                                                                  • [EnsureXAML] WindowsCreateStringReference(WindowsXamlManager) failed. 0x%lX, xrefs: 00007FFD6565F3D0
                                                                                                  • [EnsureXAML] %lld ms., xrefs: 00007FFD6565F442
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ActivationFactoryStringWindows$Count64CreateDeleteReferenceTick
                                                                                                  • String ID: Windows.Internal.Shell.XamlExplorerHost.XamlApplication$Windows.UI.Xaml.Hosting.WindowsXamlManager$[EnsureXAML] %lld ms.$[EnsureXAML] ICoreWindow5::get_DispatcherQueue() failed. 0x%lX$[EnsureXAML] IXamlApplicationStatics::get_Current() failed. 0x%lX$[EnsureXAML] RoGetActivationFactory(ICoreWindow5) failed. 0x%lX$[EnsureXAML] RoGetActivationFactory(IXamlApplicationStatics) failed. 0x%lX$[EnsureXAML] WindowsCreateStringReference(WindowsXamlManager) failed. 0x%lX$[EnsureXAML] WindowsCreateStringReference(XamlApplication) failed. 0x%lX
                                                                                                  • API String ID: 1384349799-1320486068
                                                                                                  • Opcode ID: e3f8af037ba4f2a98a70c763aeb8eac72ad8f0af4c90e89948028746c07afb19
                                                                                                  • Instruction ID: 237bd883c518382f7996e27bac5fcabb7569126b621f336c1ba99bcb75b82c0a
                                                                                                  • Opcode Fuzzy Hash: e3f8af037ba4f2a98a70c763aeb8eac72ad8f0af4c90e89948028746c07afb19
                                                                                                  • Instruction Fuzzy Hash: F1510B62B49E0AD5FB11AFA5D4603BD6370BF84F88F404136C90E86659EF3DE58AC340
                                                                                                  Function 00007FFD6566D3B0 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 124libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryProc$FreeLoad$FolderPath_invalid_parameter_noinfo
                                                                                                  • String ID: CopyExplorerSymbols$EP_TrayUI_CreateInstance$GetVersion$SetImmersiveMenuFunctions$[TB] '%s' not found$[TB] '%s' with version %d is not compatible$[TB] Failed to hook TrayUI_CreateInstance()$[TB] Using '%s'$\ExplorerPatcher\
                                                                                                  • API String ID: 1805524761-1356000006
                                                                                                  • Opcode ID: 2db6c055f175ea82300a4cd14d1fb923f10ac90707805e9606bc5d9fb8105206
                                                                                                  • Instruction ID: a78c8eff7e607744de879643c3059602896d08274c0998b7da42b0f9936d79bc
                                                                                                  • Opcode Fuzzy Hash: 2db6c055f175ea82300a4cd14d1fb923f10ac90707805e9606bc5d9fb8105206
                                                                                                  • Instruction Fuzzy Hash: 92519B64F19E4BD1FB649BA1E8743B923A2AF84F84F544535C80E466A5EE3CE4C8C740
                                                                                                  Function 00007FFD656726C0 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 174windowthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentFormatMessageThread
                                                                                                  • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$LogNt$Msg:[%ws] $ReturnHr$ReturnNt$[%hs(%hs)]$[%hs]
                                                                                                  • API String ID: 2411632146-1363043106
                                                                                                  • Opcode ID: 2935512d2c6e909dfa644574101ff65b8825e8c6f30e4c6078ed0d8e3a7d28fc
                                                                                                  • Instruction ID: 3d7862dfb95c221134b919c043087ee25b428891d1e7a075baf240ad8e233685
                                                                                                  • Opcode Fuzzy Hash: 2935512d2c6e909dfa644574101ff65b8825e8c6f30e4c6078ed0d8e3a7d28fc
                                                                                                  • Instruction Fuzzy Hash: E2713861B09E4BC1EA64DFA1E9607A963A0EF48F88F444536DA4D477A8DF3CE5C9C700
                                                                                                  Function 00007FFD656550A0 Relevance: 27.1, APIs: 18, Instructions: 148registrykeyboardCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLastRegister$Virtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 270683995-0
                                                                                                  • Opcode ID: c5d10ea8c7cc1500a942c4454fc4465b49889767eabafe1240a810fc2a09707a
                                                                                                  • Instruction ID: 549e7c847395a98a4f52454169482c396aba462cbcbb2a4b72ae6b29e1691843
                                                                                                  • Opcode Fuzzy Hash: c5d10ea8c7cc1500a942c4454fc4465b49889767eabafe1240a810fc2a09707a
                                                                                                  • Instruction Fuzzy Hash: C6517424B48F4BC6FB645BE6D5A877516A4BF64F94F004134CA0E87790EF6CE494C760
                                                                                                  Function 00007FFD656542C0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 282windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: PerformanceQuery$Window$CountCounterFrequencyTickVisible$Foreground
                                                                                                  • String ID: [sws] CalculateHelper %d [[ %lld + %lld = %lld ]].
                                                                                                  • API String ID: 488077963-247053615
                                                                                                  • Opcode ID: 3f65e0f771cb655437fab76eff18763099f99234690c18f14129bba6a5b08e21
                                                                                                  • Instruction ID: c331c48cd79c8e0e90f5ff5a9f88f243c9f1cb05108c2e6ec22aa817ee620029
                                                                                                  • Opcode Fuzzy Hash: 3f65e0f771cb655437fab76eff18763099f99234690c18f14129bba6a5b08e21
                                                                                                  • Instruction Fuzzy Hash: 3EC19E32B48E4AC6EB208FA5E4643A973A0FB84B85F154175DA8E47794EFBCE495C700
                                                                                                  Function 00007FFD65662680 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 129COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Prop$Ancestor$AreaAttributeClientExtendFindFrameIntoParentPointsRectRemoveText_invalid_parameter_noinfo
                                                                                                  • String ID: EP_METB$FloatingWindow$Windows.UI.Composition.DesktopWindowContentBridge
                                                                                                  • API String ID: 1583271118-1647979291
                                                                                                  • Opcode ID: c8ea524b2641a5da3709456cc57230e444ff2d13f894c06ebcf25f18ca11cfa0
                                                                                                  • Instruction ID: b66fbc6344c0ebcdd761662f0f66ac9209dff3f6b61e09a1dd782c774692fca7
                                                                                                  • Opcode Fuzzy Hash: c8ea524b2641a5da3709456cc57230e444ff2d13f894c06ebcf25f18ca11cfa0
                                                                                                  • Instruction Fuzzy Hash: 22516C75B08E4AC6EB54DB91E87476A23A2FB88F80F404135D94E47B98DF3CE985CB01
                                                                                                  Function 00007FFD656546F0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 118windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$ActiveLastPopup$ClassFindMessageNamePostShowSwitchThisVisible
                                                                                                  • String ID: Shell_TrayWnd$[sws] Chosen window: %s$[sws] Last active popup: %s$[sws] Owner of window: %s
                                                                                                  • API String ID: 4254927367-3099396148
                                                                                                  • Opcode ID: e58f540687b648bce5fbf70db1b5a43db5114e58f026e382351965d45dabb4aa
                                                                                                  • Instruction ID: b21a2666ac477fc90ed657249c06ed9491a3f2c9badac48c169eb0ee70662d1b
                                                                                                  • Opcode Fuzzy Hash: e58f540687b648bce5fbf70db1b5a43db5114e58f026e382351965d45dabb4aa
                                                                                                  • Instruction Fuzzy Hash: 84512C65B09F4AC5EF24DF91E8A836963A0FB89F85F444139CA8E0B764DE3CE495C740
                                                                                                  Function 00007FFD6566AD40 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 112registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Rect$MetricsSystem$Monitor$FromInfoValue
                                                                                                  • String ID: ($0$0$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StuckRectsLegacy$Settings
                                                                                                  • API String ID: 2079259257-2463101083
                                                                                                  • Opcode ID: 86ba576f1cc1592d9bc9463654c92b9e48c18665b4d514e460bda456097f7eca
                                                                                                  • Instruction ID: 6e14f20fdf97ac0c5cc1017da34522b2700215cf4ed29cffe7193ea50d86be66
                                                                                                  • Opcode Fuzzy Hash: 86ba576f1cc1592d9bc9463654c92b9e48c18665b4d514e460bda456097f7eca
                                                                                                  • Instruction Fuzzy Hash: 3B517F36F0CE6AC6E7248F64E46037AB6A0EF99B54F500135DA8D46A94DF7DE8C4CB40
                                                                                                  Function 00007FFD656832E0 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 290libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,00007FFD6567BD43), ref: 00007FFD65683345
                                                                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,00007FFD6567BD43), ref: 00007FFD65683354
                                                                                                  • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,00007FFD6567BD43), ref: 00007FFD6568338F
                                                                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,00007FFD6567BD43), ref: 00007FFD6568339E
                                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFD656836FE
                                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFD65683704
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc_invalid_parameter_noinfo_noreturn
                                                                                                  • String ID: CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
                                                                                                  • API String ID: 3318250257-4036682018
                                                                                                  • Opcode ID: 47f2e277db7f33a9d025472d12c4bddb3c880ee4c8368754ca942e3fbd5c54a0
                                                                                                  • Instruction ID: 5ef2f4b49f1810cc350555cd968af7fb23cc31a6df06ade314caca54eb3d5ee9
                                                                                                  • Opcode Fuzzy Hash: 47f2e277db7f33a9d025472d12c4bddb3c880ee4c8368754ca942e3fbd5c54a0
                                                                                                  • Instruction Fuzzy Hash: 1EC17962B04E5AD4FF10DBA5D8643BC27A1AB44F98F944236DE1E67798EE38E4C5C310
                                                                                                  Function 00007FFD6567C430 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 248synchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$CloseCreateHandleSemaphore$MutexRelease
                                                                                                  • String ID: _p0$wil
                                                                                                  • API String ID: 2058776845-1814513734
                                                                                                  • Opcode ID: 3a0d189ac191bc084a5fc5670cae84461b640c2f59d3b8f50f61060daf8f36b1
                                                                                                  • Instruction ID: 310820ab3f7e9b570e591df62b7f952dd35f7a7133fff3c754793cc335583d35
                                                                                                  • Opcode Fuzzy Hash: 3a0d189ac191bc084a5fc5670cae84461b640c2f59d3b8f50f61060daf8f36b1
                                                                                                  • Instruction Fuzzy Hash: F8918C22B19E8AC2FF619FA4D4687BA62A0EF84F94F544535DA0E47794EE3CE485C700
                                                                                                  Function 00007FFD6565C6A0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 137networkfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
                                                                                                  • String ID: Content-Type: application/octet-stream;$GET$Microsoft-Symbol-Server/10.0.10036.206$msdl.microsoft.com
                                                                                                  • API String ID: 1354133546-1066975914
                                                                                                  • Opcode ID: 350d287939a7d2f1add441939b25f7b863f4f39f8f26b0a9b09781f25b1b9722
                                                                                                  • Instruction ID: 9f3a4f0f81658f5a1f9457b912e77ae35d1828e2f73594ad640d8c1562c921fd
                                                                                                  • Opcode Fuzzy Hash: 350d287939a7d2f1add441939b25f7b863f4f39f8f26b0a9b09781f25b1b9722
                                                                                                  • Instruction Fuzzy Hash: E8515131B0CA46C6FB609BA1E46076A67A0FB89F90F540035DE5E07B95DF7DD581C700
                                                                                                  Function 00007FFD6566B5E0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 101windowregistryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Parent$ClassMessageRegisterWindowWord$CloseInfoItemMenuOpenProp
                                                                                                  • String ID: DesktopWindow$P$Progman$WorkerW
                                                                                                  • API String ID: 441032011-3530101500
                                                                                                  • Opcode ID: 73863012d50b2bd1d21eae4375196a3a5b19108d03dced183ceb9fe1bdf8281c
                                                                                                  • Instruction ID: 90a4a201a9c22b5a65fba6d2514a62c64326cbdc5fdafa360d8c1c650ee81613
                                                                                                  • Opcode Fuzzy Hash: 73863012d50b2bd1d21eae4375196a3a5b19108d03dced183ceb9fe1bdf8281c
                                                                                                  • Instruction Fuzzy Hash: 89413E65B0CE8AC2EB609B96E86477962A0AF85F95F400135ED4E46BA4DF3CE4C5CB01
                                                                                                  Function 00007FFD65677FA0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 216COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: StringWindows$Delete$ActivationCreateFactoryReference$Buffer
                                                                                                  • String ID: StartDocked.StartSizingFrame$Windows.UI.Xaml.Media.VisualTreeHelper$Windows.UI.Xaml.Window
                                                                                                  • API String ID: 2896072117-1951327480
                                                                                                  • Opcode ID: 406c51ab9b4f8bb1ad36d289adcd5a805c209490f3241a495b7a24305f52d179
                                                                                                  • Instruction ID: 7580c09e894ccbe0f9f19916feade60f0b3646e63b4bd75272e92f6dcc2aaaa0
                                                                                                  • Opcode Fuzzy Hash: 406c51ab9b4f8bb1ad36d289adcd5a805c209490f3241a495b7a24305f52d179
                                                                                                  • Instruction Fuzzy Hash: CAB1D626B04F5AC5EB109BA1D8A42AD37B1FB84F99F544436CE0E57B68DF39D885C340
                                                                                                  Function 00007FFD656866E0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 191registrylibraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$ActivationAddressCreateFactoryHandleModuleProcReferenceStringWindows
                                                                                                  • String ID: ColorPrevalence$EnableTransparency$SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize$Taskbar10.cpp$WindowsUdk.UI.Themes.SystemVisualTheme$dcomp.dll
                                                                                                  • API String ID: 342590677-1899219526
                                                                                                  • Opcode ID: 3c9b4e9b9acc2d63674af36005109daad2ed71ec6303830d23cf5222d9514225
                                                                                                  • Instruction ID: aa667ce2dc95b03a6b5f491643df107b87d11a6b43c26dca491faa40af3d8ff2
                                                                                                  • Opcode Fuzzy Hash: 3c9b4e9b9acc2d63674af36005109daad2ed71ec6303830d23cf5222d9514225
                                                                                                  • Instruction Fuzzy Hash: DA916A72B18E4ACAFB108FA1D4603B973A5EB24B48F404676CA1D47B94DF3CE598C760
                                                                                                  Function 00007FFD65665780 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 122windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$HandleLeaveLoadMessageModuleSendString$Enter
                                                                                                  • String ID: (null)$H$pnidui.dll
                                                                                                  • API String ID: 3318607081-2376156319
                                                                                                  • Opcode ID: 2adcfd1bc7f7106be87062b26d09ee880211e94a2488b4e2af3a87a323da4b34
                                                                                                  • Instruction ID: b5684ac36763ddbf6d8c99721775eacbcd80da7c5181aa3561ca7b9979f4d3ca
                                                                                                  • Opcode Fuzzy Hash: 2adcfd1bc7f7106be87062b26d09ee880211e94a2488b4e2af3a87a323da4b34
                                                                                                  • Instruction Fuzzy Hash: 81513D36B18F89C6EB608FA5E46036A73A1FB88B44F544236DA8D47B64DF3CD585CB00
                                                                                                  Function 00007FFD656615C0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Monitor$Window$From$FindInfoPoint$Rect
                                                                                                  • String ID: ($Shell_SecondaryTrayWnd$Shell_TrayWnd
                                                                                                  • API String ID: 1776394408-174554928
                                                                                                  • Opcode ID: df920bce5273e1608d508747b8fe0297b18f257e25a8b55d9d9880311595257d
                                                                                                  • Instruction ID: 98463b67a55ea79d380847db65e715981768eab39769e43c590678dfd554d4aa
                                                                                                  • Opcode Fuzzy Hash: df920bce5273e1608d508747b8fe0297b18f257e25a8b55d9d9880311595257d
                                                                                                  • Instruction Fuzzy Hash: 22410F75B1DE4AC6EB608BA1E92477A63A1EB88F90F144131DD4E87B44DE3DE8C1CB41
                                                                                                  Function 00007FFD6567D4A0 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 334registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$ActivationFactory_invalid_parameter_noinfo_noreturn
                                                                                                  • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Start$ShowFrequentList$ShowRecentList$VisiblePlaces$WindowsInternal.Shell.CDSProperties.StartGlobalProperties
                                                                                                  • API String ID: 3131312478-3545454060
                                                                                                  • Opcode ID: 2fc7de9be2258553e5e4356f05f1f3693b5da9eac1552d1f13d45b0a0d89c943
                                                                                                  • Instruction ID: 657480427481fe0ce5676fdc5fb25b3e358d6f0497e206e5321c89c3717d4242
                                                                                                  • Opcode Fuzzy Hash: 2fc7de9be2258553e5e4356f05f1f3693b5da9eac1552d1f13d45b0a0d89c943
                                                                                                  • Instruction Fuzzy Hash: A0F13832B09E0ADAEB109FA1E4603AC33B5FB48B98F404636DA4D53B98DF38D595C340
                                                                                                  Function 00007FFD656696B0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 126registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DataOpenTheme$#328#334Value
                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced$Taskband2$TaskbarPearl$TaskbarSD$TaskbarShowDesktop$TrayNotifyFlyout
                                                                                                  • API String ID: 1534390305-1782666386
                                                                                                  • Opcode ID: c7ddb71f4a83ab2f2543ec785e296f09332302bef59eff340a23ee719fc66fa6
                                                                                                  • Instruction ID: f4a880cc5b500b99e3d33ff0b46976401d53446a1644fb6f8dd2a4a2c1e2696f
                                                                                                  • Opcode Fuzzy Hash: c7ddb71f4a83ab2f2543ec785e296f09332302bef59eff340a23ee719fc66fa6
                                                                                                  • Instruction Fuzzy Hash: CA517165B08D4AC2EBA89F95D42037972B1EF54F68F844535EE4D466E4EF3CA8C1C302
                                                                                                  Function 00007FFD656842B0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 90COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: StringWindows$CreateDeleteInitializeReference$ActivateInstance
                                                                                                  • String ID: %s:%d:: QueryInterface = %d$%s:%d:: RoActivateInstance = %d$String2IXMLDocument$Windows.Data.Xml.Dom.XmlDocument
                                                                                                  • API String ID: 2286360050-3498695339
                                                                                                  • Opcode ID: 521d3f1b8b4cf1f66befddd86d94abcf4bde1879f0b406af681ffbcfccee33e5
                                                                                                  • Instruction ID: ee89168c13351fd04a1c5ddd027c5a1d89e3128664f019a1509ae4801fa02988
                                                                                                  • Opcode Fuzzy Hash: 521d3f1b8b4cf1f66befddd86d94abcf4bde1879f0b406af681ffbcfccee33e5
                                                                                                  • Instruction Fuzzy Hash: 06411F26718E4AC2EB109FA6E4A03696770FB88F99F404132DE8E47764DF7DD589C700
                                                                                                  Function 00007FFD65659560 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 86synchronizationwindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • [sws] Delayed showing by %lld ms due to: user configuration., xrefs: 00007FFD65659642
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: PerformanceQuery$CountCounterFrequencyObjectSingleTickWaitWindow$AttributeVisible
                                                                                                  • String ID: [sws] Delayed showing by %lld ms due to: user configuration.
                                                                                                  • API String ID: 3340259983-850836316
                                                                                                  • Opcode ID: 60a22c30f773cdf64ed5086f3dc5362e028d3ad9448525f1eee846b433465a00
                                                                                                  • Instruction ID: 33abee205288bb165d388bfd46da1de58a847b9e77d7b88a4fb81b131b54ba71
                                                                                                  • Opcode Fuzzy Hash: 60a22c30f773cdf64ed5086f3dc5362e028d3ad9448525f1eee846b433465a00
                                                                                                  • Instruction Fuzzy Hash: 48313D62B08E4AC6FB509FA5E46432973B4EF94F98F540135EA4E466A4EF3CE4D5C700
                                                                                                  Function 00007FFD6565F6F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 137registrywindowtimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MonitorValue$ClientFromInfoMessagePointScreenTimer
                                                                                                  • String ID: ($SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarAl
                                                                                                  • API String ID: 2953988541-3876653080
                                                                                                  • Opcode ID: 8f5c143c421f264fdeb3e6b0909a287875635cf8cd460ed4f2bf51121d7b3ea3
                                                                                                  • Instruction ID: 543d540698597cfe57ccd5a2da5e267d03a0e0bfb0c7e85d24a3b12d72a653d6
                                                                                                  • Opcode Fuzzy Hash: 8f5c143c421f264fdeb3e6b0909a287875635cf8cd460ed4f2bf51121d7b3ea3
                                                                                                  • Instruction Fuzzy Hash: 45518C72F19A16CAF750CBA4E4A47BC73B5BB44B58F500136DA1A57A88DF3CA9C5C700
                                                                                                  Function 00007FFD65693070 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 126windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFreeLastVirtual$FormatMessage
                                                                                                  • String ID: decommit page %p (base=%p(used=%d), idx=%llu, size=%llu)$ release memory %p (size=%llu)$Failed to decommit page %p (base=%p(used=%d), idx=%llu, size=%llu, error=%lu(%s))$Failed to release memory %p (size=%llu, error=%lu(%s))$Unknown Error
                                                                                                  • API String ID: 2809503268-3332624631
                                                                                                  • Opcode ID: edb279614e357427b3b822d91c61073d4f5e3929ed789ed6ea45d3a914b49dc7
                                                                                                  • Instruction ID: 9a47e01e5d84e03a3db52683fae9863340a747b8a618acbe998eb2203f0c1971
                                                                                                  • Opcode Fuzzy Hash: edb279614e357427b3b822d91c61073d4f5e3929ed789ed6ea45d3a914b49dc7
                                                                                                  • Instruction Fuzzy Hash: 0F516E31B18F4AC6EB248B96E8603A973A1FB59F84F044135DA4D437A4DF3CD194CB00
                                                                                                  Function 00007FFD656933D0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 117COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentProcess$FileHandleMappedModuleName
                                                                                                  • String ID: -> func %p$ -> func %p in %.*s$ func %p is in %.*s$ indirect jump to addresss at %p$ relative jump to %p$%
                                                                                                  • API String ID: 3110908827-1828122181
                                                                                                  • Opcode ID: 4f4fd1c33d259b27fb525bbc7952158004242cf8a32218f632c79e322e8538d3
                                                                                                  • Instruction ID: ff5e26db2da649bb8662d3df5ae4ee5889e96393e594c0d9260d468fcda35b14
                                                                                                  • Opcode Fuzzy Hash: 4f4fd1c33d259b27fb525bbc7952158004242cf8a32218f632c79e322e8538d3
                                                                                                  • Instruction Fuzzy Hash: 5E517161B09E8BC1FF609B95E8603B967A1BF6AF88F484031DA4D47785DF2DE985C700
                                                                                                  Function 00007FFD656840F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 110COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateInitializeReferenceStringWindows
                                                                                                  • String ID: Microsoft.Windows.Explorer$Windows.UI.Notifications.ToastNotification$Windows.UI.Notifications.ToastNotificationManager
                                                                                                  • API String ID: 3973075819-205246331
                                                                                                  • Opcode ID: 61fe052dac5bbf871d41a08c977f99300e810394ad62dcf125acb6468106a64f
                                                                                                  • Instruction ID: d16f7aeab2e1e0c9ea10b997cef4a2cf04e8230a74146d2df25542169a9359d0
                                                                                                  • Opcode Fuzzy Hash: 61fe052dac5bbf871d41a08c977f99300e810394ad62dcf125acb6468106a64f
                                                                                                  • Instruction Fuzzy Hash: 9751D526B08E0AC6EB10DBE5D4A43AD23B4EB88F89F400532CE4E57B58DF79D589C350
                                                                                                  Function 00007FFD65690120 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 82processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$CreateDirectoryFolderPathProcessSystem_invalid_parameter_noinfo
                                                                                                  • String ID: ",ZZGUI$Launching : %s$\ExplorerPatcher\ep_gui.dll$\rundll32.exe" "$h
                                                                                                  • API String ID: 3541607598-809932297
                                                                                                  • Opcode ID: 7766f0c82fe214f4cdd2185d49f277cc42f8bdc2b13b7a9c7478ae368f575a96
                                                                                                  • Instruction ID: 53132c013b966ef28889cd7e09896ed1f134a43b74425409a8cdb51d42b03d13
                                                                                                  • Opcode Fuzzy Hash: 7766f0c82fe214f4cdd2185d49f277cc42f8bdc2b13b7a9c7478ae368f575a96
                                                                                                  • Instruction Fuzzy Hash: EF416D22F18E85C6EB10DBA0E8603EE7370F798718F405236DA5D52AA9EF3CD185CB40
                                                                                                  Function 00007FFD65669DA0 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CompareOrdinalString
                                                                                                  • String ID: ::{17CD9488-1228-4B2F-88CE-4298E93E0966}$::{7007ACC7-3202-11D1-AAD2-00805FC1270E}$::{7B81BE6A-CE2B-4676-A29E-EB907A5126C5}$::{8E908FC9-BECC-40F6-915B-F4CA0E70D03D}$::{A8A91A66-3A7D-4424-8D24-04E180695C7A}$::{BB06C0E4-D293-4F75-8A90-CB05B6477EEE}$::{D450A8A1-9568-45C7-9C0E-B4F9FB4537BD}$Advanced
                                                                                                  • API String ID: 2409332303-3644713213
                                                                                                  • Opcode ID: 0bddf4f8cf2fe53f5b2b67e9ca6550e7cca2cebb951c42f5df0ff5165daec25b
                                                                                                  • Instruction ID: 8d4a338a2cf27ec182461c4f4b1a69c74a0e3feecd89aebe7a40062ff487a87e
                                                                                                  • Opcode Fuzzy Hash: 0bddf4f8cf2fe53f5b2b67e9ca6550e7cca2cebb951c42f5df0ff5165daec25b
                                                                                                  • Instruction Fuzzy Hash: AA315836B08F86C5EB618F40E4553A933B9FB48B94F550235CA9C17750DF39E996C740
                                                                                                  Function 00007FFD65661DF0 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 54libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LibraryModule$CurrentDataDirectoryEntryFreeHandleImageInformationLoadProcess
                                                                                                  • String ID: RegGetValueW$Setup sndvolsso functions done$TrackPopupMenuEx$api-ms-win-core-registry-l1-1-0.dll$sndvolsso.dll$user32.dll$xxxxxxxxxxxxxxxxx????xxx????xxx????xxxxxx????xxx????xxx
                                                                                                  • API String ID: 2511907732-965438320
                                                                                                  • Opcode ID: 6091a5929a8867be7760a9ffc442e769f486868466c859942fbdfda13ba5893d
                                                                                                  • Instruction ID: 0639caa3b0dc84bce2a0c801bf2ae09233feed5d5967c25a585b44ade25d1a68
                                                                                                  • Opcode Fuzzy Hash: 6091a5929a8867be7760a9ffc442e769f486868466c859942fbdfda13ba5893d
                                                                                                  • Instruction Fuzzy Hash: 39211B65B49E4FD0FA10EBA1E8712F92361AF8AF94F444132D95E06765DE3CE1C5C380
                                                                                                  Function 00007FFD6568A5C0 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 383COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: HorizontalAlign$Position$TwinUIPatches.cpp$VerticalAlign
                                                                                                  • API String ID: 0-1987525340
                                                                                                  • Opcode ID: f192e1d4ce6da24b30661df487f12e9c0c9414033a8a0d4c05a3f75df6258f84
                                                                                                  • Instruction ID: b0d356c0bcaf96b56a9eea48134d425b9d9d661c818714518005b035ab476644
                                                                                                  • Opcode Fuzzy Hash: f192e1d4ce6da24b30661df487f12e9c0c9414033a8a0d4c05a3f75df6258f84
                                                                                                  • Instruction Fuzzy Hash: 25F13036B19E4ACAE710CBF5D4607AD2375AB88F98F110176DE0DA7B98DE38D486C350
                                                                                                  Function 00007FFD6567E2F0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 226COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ActivationCreateFactoryReferenceStringWindows
                                                                                                  • String ID: Start.TileGrid$StartMenuSettings.cpp$StartPin$WindowsInternal.Shell.UnifiedTile.CuratedTileCollections.CuratedTileCollectionManager
                                                                                                  • API String ID: 1966789792-2245281551
                                                                                                  • Opcode ID: 24cb947f763ff59791ca9592d9dc97002b8e30dae2ff7bacea21f3c6b787a711
                                                                                                  • Instruction ID: fb95729b110a5f46a50b247f78fa627be9be50410b7c1e27f67227bc99074aab
                                                                                                  • Opcode Fuzzy Hash: 24cb947f763ff59791ca9592d9dc97002b8e30dae2ff7bacea21f3c6b787a711
                                                                                                  • Instruction Fuzzy Hash: F3910A26B14E4BC6FB108BB5D8A06ED2770BB48F98B541532DE4DA3B64DE79D989C300
                                                                                                  Function 00007FFD6567C790 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105synchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ObjectSingleWait
                                                                                                  • String ID: wil
                                                                                                  • API String ID: 24740636-1589926490
                                                                                                  • Opcode ID: 6cb99dce32a31d1732828c6e927fb19117e6b334bfb23547af7556cf32aa526d
                                                                                                  • Instruction ID: b6afb3af6fc5b7bcaffa28fcf275e1bd9e2a0808109101744e980af34573a648
                                                                                                  • Opcode Fuzzy Hash: 6cb99dce32a31d1732828c6e927fb19117e6b334bfb23547af7556cf32aa526d
                                                                                                  • Instruction Fuzzy Hash: BC414371B1CE4BC2FBA09BA5E4203BA67A1EF84F94F504132E94F86695DE3CE5C5C601
                                                                                                  Function 00007FFD656541E0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57windowregistryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Message$FindRegister$Post
                                                                                                  • String ID: SHELLHOOK$SimpleWindowSwitcher_{BEA057BB-66C7-4758-A610-FAE6013E9F98}
                                                                                                  • API String ID: 806771716-2759489877
                                                                                                  • Opcode ID: 3e11536cf82fe94f4e0ef2b57cea84fb7ed16f0d289556e78c200ca9780dae0a
                                                                                                  • Instruction ID: 697d8d4b1ccbd286d812e061248a94db0f6c5b7c88b332a9e7c682b179db0523
                                                                                                  • Opcode Fuzzy Hash: 3e11536cf82fe94f4e0ef2b57cea84fb7ed16f0d289556e78c200ca9780dae0a
                                                                                                  • Instruction Fuzzy Hash: DF210B24F5CE1AC1FF649BE1EA6477512A1BF58F82F884075C84F46A94DEACA4E4C340
                                                                                                  Function 00007FFD656A8DA8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                  • String ID: -$:$f$p$p
                                                                                                  • API String ID: 3215553584-2013873522
                                                                                                  • Opcode ID: 0fac80845ca2206c325da4620558c9a9b35b740b33f0e8549cdded86d03224de
                                                                                                  • Instruction ID: ec9730055922c5b23b0094da4108e129a38430c2e6035c62d44ec945f4981efa
                                                                                                  • Opcode Fuzzy Hash: 0fac80845ca2206c325da4620558c9a9b35b740b33f0e8549cdded86d03224de
                                                                                                  • Instruction Fuzzy Hash: E1129031F0C95BC6FB245A94D0683BA76A5EB40F58FA44131E68A466D8DF3FE9C4CB10
                                                                                                  Function 00007FFD6569F848 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                  • String ID: f$f$p$p$f
                                                                                                  • API String ID: 3215553584-1325933183
                                                                                                  • Opcode ID: bc113c6e72820b98e318c63d88f467cb3010e0423711e0b0b4a3decac008c911
                                                                                                  • Instruction ID: 210c3926c94d162d5351998c48bfc613b785120fd8666e8035c9c7ae645c3115
                                                                                                  • Opcode Fuzzy Hash: bc113c6e72820b98e318c63d88f467cb3010e0423711e0b0b4a3decac008c911
                                                                                                  • Instruction Fuzzy Hash: 8B129F62B0C98BC6FB615E95E0643BAF251FB62B54F954036F699466C8DF3CE4C0CB40
                                                                                                  Function 00007FFD65654CF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 214COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: BitsStretch
                                                                                                  • String ID:
                                                                                                  • API String ID: 350495539-3916222277
                                                                                                  • Opcode ID: 16169dae19ceeb75348473d394cbf06ec6f314e1e1cb273dfbed35b0081e99fd
                                                                                                  • Instruction ID: b688b0cf2c4c361611f3f61e5e8e3b7f57a6abd5e3a8b0c23f6eaa839fc51349
                                                                                                  • Opcode Fuzzy Hash: 16169dae19ceeb75348473d394cbf06ec6f314e1e1cb273dfbed35b0081e99fd
                                                                                                  • Instruction Fuzzy Hash: 10A142B2618BC08ED7108F65F48475EBBB4F789798F205229EA8963B58DB7DD055CF00
                                                                                                  Function 00007FFD656617A0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ClassNamePerformanceQuery$CounterCursorEnumFrequencyFromMenuPointPopupPropsTrackWindow
                                                                                                  • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                                                                                                  • API String ID: 1660317238-1433838494
                                                                                                  • Opcode ID: 128fb20ece10c7a3924be445a59ad679d9d991228480f978e37881e9e63ea3d7
                                                                                                  • Instruction ID: 53bafaa403091197f1c39f719f643afbbb0edfce3c5af6723c95b87856f8928e
                                                                                                  • Opcode Fuzzy Hash: 128fb20ece10c7a3924be445a59ad679d9d991228480f978e37881e9e63ea3d7
                                                                                                  • Instruction Fuzzy Hash: 6B917276B48A4AC6EB609F85E46037973A1FB85F90F844136EE4D126A4DF3CE8C5C742
                                                                                                  Function 00007FFD65672270 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 131comserviceCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CoCreateInstance.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6565E130), ref: 00007FFD656722BE
                                                                                                  • IUnknown_QueryService.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6565E130), ref: 00007FFD656722F1
                                                                                                  • WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6565E130), ref: 00007FFD65672364
                                                                                                  • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6565E130), ref: 00007FFD65672428
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateStringWindows$DeleteInstanceQueryReferenceServiceUnknown_
                                                                                                  • String ID: Windows.Internal.ShellExperience.MtcUvc$Windows.Internal.ShellExperience.NetworkFlyout$Windows.Internal.ShellExperience.TrayBatteryFlyout$Windows.Internal.ShellExperience.TrayClockFlyout
                                                                                                  • API String ID: 3704749038-3268901682
                                                                                                  • Opcode ID: b73c0e7a01cbb78688efa312c8a3ac757f1c225743d08ed0fb6fe31fed24a1df
                                                                                                  • Instruction ID: d70a23393ebe3b9362559a79f19d73670f25a252ba603298a3ac94ce43d83957
                                                                                                  • Opcode Fuzzy Hash: b73c0e7a01cbb78688efa312c8a3ac757f1c225743d08ed0fb6fe31fed24a1df
                                                                                                  • Instruction Fuzzy Hash: F0510E72B08E4BC2EB508BA9E8A036967B1FB84FA0F504132DA4E57764DF7DD589C700
                                                                                                  Function 00007FFD6567FE10 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 125synchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Mutex$CloseCreateCurrentErrorHandleLastObjectProcessReleaseSingleWait
                                                                                                  • String ID: Local\SM0:%lu:%lu:%hs$wil$x
                                                                                                  • API String ID: 908355122-984673096
                                                                                                  • Opcode ID: d964f013290470198f31b6882e51c7cbeb86e784c1be97d68529b4bb9367cec1
                                                                                                  • Instruction ID: 46844a033f85a9522525447618c38a1d6458bdb567b928b3f19c5a714be2a215
                                                                                                  • Opcode Fuzzy Hash: d964f013290470198f31b6882e51c7cbeb86e784c1be97d68529b4bb9367cec1
                                                                                                  • Instruction Fuzzy Hash: 6551922171DE8BC1FB609B95E4647BAA360EF84F90F540532EA8E87B95DE3CD485C700
                                                                                                  Function 00007FFD6566B110 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108registrywindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$ClassMessageRegisterWord$AttributeComposition
                                                                                                  • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                                                                                                  • API String ID: 2307794763-1433838494
                                                                                                  • Opcode ID: e154c394c6d2fd9063cc1ccc694e1db74e76edb28decd2560635fdc285ff3f39
                                                                                                  • Instruction ID: a4626a754cf3c58207702bc9c730f09af240deeaaadafed8ccbdddc26b4f1b1c
                                                                                                  • Opcode Fuzzy Hash: e154c394c6d2fd9063cc1ccc694e1db74e76edb28decd2560635fdc285ff3f39
                                                                                                  • Instruction Fuzzy Hash: D3417E61F48E4AC7FB649B91D82433D63A6AF81F98F184135E94E066A4CF3CE8D5CB01
                                                                                                  Function 00007FFD65690410 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeString$Messagewsprintf
                                                                                                  • String ID: %sLine %u: %s%s$Error
                                                                                                  • API String ID: 1127142505-3766919743
                                                                                                  • Opcode ID: 7e5e450b7c3d9d25ce32135dab633d936c69a5a0caca5d45b25486a9b0defd27
                                                                                                  • Instruction ID: 6d0a4f624e88d957fd5ac4a34f3f4897eea13fb46628e68a79625159208e7fda
                                                                                                  • Opcode Fuzzy Hash: 7e5e450b7c3d9d25ce32135dab633d936c69a5a0caca5d45b25486a9b0defd27
                                                                                                  • Instruction Fuzzy Hash: A131F862A18F8AC2DB10DB51F4647AAA370FBD9B84F445132DA8E47B28DF7CD194CB40
                                                                                                  Function 00007FFD65671280 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 222registrymemorylibraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher, xrefs: 00007FFD656712A7
                                                                                                  • Windows.UI.QuickActions.dll, xrefs: 00007FFD656712C6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual$CloseLibraryLoadOpen
                                                                                                  • String ID: Control Panel\Quick Actions\Control Center\QuickActionsStateCapture\ExplorerPatcher$Windows.UI.QuickActions.dll
                                                                                                  • API String ID: 833317941-2238621791
                                                                                                  • Opcode ID: 40093c2c2d411dc051a55da60c8ab614ed19546aff4c4f70f436c8de76865bda
                                                                                                  • Instruction ID: 8802bdadc1caa0fffd776cdcbaebe1d7de234d72e72bca28ba98bbdd5c4c0ef7
                                                                                                  • Opcode Fuzzy Hash: 40093c2c2d411dc051a55da60c8ab614ed19546aff4c4f70f436c8de76865bda
                                                                                                  • Instruction Fuzzy Hash: 1B917D62B18A8AC6EB548FA1D4703B977A5FB44F88F444136CE4E5BB98DE3CE585C700
                                                                                                  Function 00007FFD6567A2D0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 182COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: StringWindows$ActivationCreateDeleteFactoryReference
                                                                                                  • String ID: WindowsUdk.UI.Shell.TaskbarLayout$[Positioning] Added settings for monitor %p : %d$[Positioning] Changed settings for monitor: %p : %d$[Positioning] Removed settings for monitor: %p
                                                                                                  • API String ID: 2243136672-1634499889
                                                                                                  • Opcode ID: cfd15b76b2e5a53c4c930bc2ca916c6c4de9213d4916d509ac99a2c5a72be6eb
                                                                                                  • Instruction ID: 12dbfa50c108904896cb14cd62f8a667e0209a17cffdc0629964e0ce921694ef
                                                                                                  • Opcode Fuzzy Hash: cfd15b76b2e5a53c4c930bc2ca916c6c4de9213d4916d509ac99a2c5a72be6eb
                                                                                                  • Instruction Fuzzy Hash: 74810672B08E1AC6EB148FA5D8A42AD33B1FB44F98B544536DE0E57B68DF39E495C300
                                                                                                  Function 00007FFD65661330 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 163windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ClassEnumMenuNamePopupPropsTrack
                                                                                                  • String ID: SHELLDLL_DefView$Shell_SecondaryTrayWnd$Shell_TrayWnd$SysTreeView32
                                                                                                  • API String ID: 3301139559-1312006807
                                                                                                  • Opcode ID: ecd20350560e8102a5445a1d547cb7e323caede6247b8b32d0e71a1653219032
                                                                                                  • Instruction ID: c319b9ab1049d33f8ba5c2866ecc6dd4e9490e9484a47f63f189ada86f60da84
                                                                                                  • Opcode Fuzzy Hash: ecd20350560e8102a5445a1d547cb7e323caede6247b8b32d0e71a1653219032
                                                                                                  • Instruction Fuzzy Hash: 1061B266B4894AC2EB648B96D4303B973A1FB54FA4F844232DD4E076A8DF7CE8D5C701
                                                                                                  Function 00007FFD656802E0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExclusiveLock$Release$AcquireAddressLibraryLoadProc
                                                                                                  • String ID: RoGetAgileReference$combase.dll
                                                                                                  • API String ID: 1925124437-3498391780
                                                                                                  • Opcode ID: 2d25d96308d6576da6ea71630913badf15274bc04d8172f370e9f48a57ab2006
                                                                                                  • Instruction ID: 8110eeeef21b28144801a94386956954e59b32be40f36be136b2b69debb32c9e
                                                                                                  • Opcode Fuzzy Hash: 2d25d96308d6576da6ea71630913badf15274bc04d8172f370e9f48a57ab2006
                                                                                                  • Instruction Fuzzy Hash: 07611722B0AF1AC5EB10DBA1D8603BC23A4AF44F98F484976DE1D57765DF38D995C310
                                                                                                  Function 00007FFD656740F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Monitor$FindFromRect
                                                                                                  • String ID: Shell_TrayWnd$`$`
                                                                                                  • API String ID: 1754679160-909703354
                                                                                                  • Opcode ID: 3c810de8b388980eaee915de0c67787d9286607261a614068ed218275ba57dbb
                                                                                                  • Instruction ID: a8ce56c891570e0e09f367fd2f78db595953a5e77e95218f896e979e87b0ada2
                                                                                                  • Opcode Fuzzy Hash: 3c810de8b388980eaee915de0c67787d9286607261a614068ed218275ba57dbb
                                                                                                  • Instruction Fuzzy Hash: 1151B332A1CE46CAE762CB65E46433AB3A1EF59B85F108731E55E92664DF3CE491CB00
                                                                                                  Function 00007FFD6566D5F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual
                                                                                                  • String ID: .rdata$[SSO] pguidTarget = %llX$[SSO] pssoEntryTarget = %llX
                                                                                                  • API String ID: 544645111-3803262335
                                                                                                  • Opcode ID: 3da57a61b8d03f903389d7fcf90102e1d8f131a3839927f75438aff2c155269f
                                                                                                  • Instruction ID: 688d4cc487d363e4abd28c0c95baee1a4f007b74c400c620bb9e121c661c4ab7
                                                                                                  • Opcode Fuzzy Hash: 3da57a61b8d03f903389d7fcf90102e1d8f131a3839927f75438aff2c155269f
                                                                                                  • Instruction Fuzzy Hash: A951AD22B08E4AC6EB608FA1E460379A7B0FB54F98F108131DA4D47698EF3CE5D5C742
                                                                                                  Function 00007FFD656514C0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ====================================$====================================An error occured in the application.Error number: 0x%x$Description: %s$General failure$Here is the stack trace:
                                                                                                  • API String ID: 0-2550951133
                                                                                                  • Opcode ID: 247e535ffdaea2d948cfc772308ba7d5c326806172b63b5b1f06f032a2458995
                                                                                                  • Instruction ID: c47b9dc0f9f1ad85700d62e8ba8628787aef9f1af9bcb6edd47d2a6d99be8f9e
                                                                                                  • Opcode Fuzzy Hash: 247e535ffdaea2d948cfc772308ba7d5c326806172b63b5b1f06f032a2458995
                                                                                                  • Instruction Fuzzy Hash: D7314F31F48E4AC2FA10DB95E4713796261AF95B80F940135EA4E47795EF3DE9D1C700
                                                                                                  Function 00007FFD65660060 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81windowregistrytimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Message$CallClassClickCreateDoubleFindHookInstanceNameNextPostRegisterTime
                                                                                                  • String ID: Shell_TrayWnd$Windows11ContextMenu_{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}
                                                                                                  • API String ID: 1587758685-4164012455
                                                                                                  • Opcode ID: d3235a081cff106ef0dbb9e6b14df50ae6edffb1406e9cb2185b88d2b9e7f724
                                                                                                  • Instruction ID: ea94b9de363c20971d624f7a1c800cabd783263b325f2ba6fff30e63508d6dc0
                                                                                                  • Opcode Fuzzy Hash: d3235a081cff106ef0dbb9e6b14df50ae6edffb1406e9cb2185b88d2b9e7f724
                                                                                                  • Instruction Fuzzy Hash: AB31F225F4CE4BD6FB609BE1E87433562A6AF84F94F040135E94E42695DE7CA4C1CB42
                                                                                                  Function 00007FFD6567E690 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DeleteStringWindows
                                                                                                  • String ID:
                                                                                                  • API String ID: 3152741638-0
                                                                                                  • Opcode ID: 220ed1f342998a80439a4c618c8cb02c5339f846fd9f4f2c159e7e9e8fb559cd
                                                                                                  • Instruction ID: 138e17d8d787ba5f1eb296c851a4657fe413ac514f5e7014869962ff82618121
                                                                                                  • Opcode Fuzzy Hash: 220ed1f342998a80439a4c618c8cb02c5339f846fd9f4f2c159e7e9e8fb559cd
                                                                                                  • Instruction Fuzzy Hash: 1631C336B14E4AC5EB10AF71E8643692375FB85F88F544136DA4E4BB69CF39E896C300
                                                                                                  Function 00007FFD6569B564 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 310COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchState
                                                                                                  • String ID: csm$csm$csm
                                                                                                  • API String ID: 1826822863-393685449
                                                                                                  • Opcode ID: e2a4c342c4d421d5c73be41df65f2b5ec1998bf278118c1d66828454b570aa30
                                                                                                  • Instruction ID: 1cc810a8a9cdc78129992220cab61e75b1248460474eef5c84c61f0f3f5989a8
                                                                                                  • Opcode Fuzzy Hash: e2a4c342c4d421d5c73be41df65f2b5ec1998bf278118c1d66828454b570aa30
                                                                                                  • Instruction Fuzzy Hash: FED17132B18B4BCAEB609BA5D5503AD77A0FB66B98F140135EA8D57765CF38E0C1C701
                                                                                                  Function 00007FFD656B0DC8 Relevance: 10.8, APIs: 7, Instructions: 290COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                  • String ID:
                                                                                                  • API String ID: 3215553584-0
                                                                                                  • Opcode ID: b52de193dcd97822f851048e7139e83e243a94adfbbac5a678cd008b0d4c604a
                                                                                                  • Instruction ID: 6d1a1f49f5bc9f90dc7379d329559eefa7f88930d8d9f0dc9b8b8a56c8b17b72
                                                                                                  • Opcode Fuzzy Hash: b52de193dcd97822f851048e7139e83e243a94adfbbac5a678cd008b0d4c604a
                                                                                                  • Instruction Fuzzy Hash: C7C1A322B0CE8ED5EB609B95D4203BA7BA5EB81F90F554131DA4D07392DE7DE8E5C700
                                                                                                  Function 00007FFD6568A380 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 154COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Monitor$FromInfoPoint
                                                                                                  • String ID: ($TwinUIPatches.cpp
                                                                                                  • API String ID: 1349325158-3972200677
                                                                                                  • Opcode ID: e054066f941461976d5cc2d576777dffaa520b6b6f2a9a6a1f556f6559503beb
                                                                                                  • Instruction ID: bcb200128641f0bae4aab20f32b56d83f040c1d427724e38931cd194a50ddb79
                                                                                                  • Opcode Fuzzy Hash: e054066f941461976d5cc2d576777dffaa520b6b6f2a9a6a1f556f6559503beb
                                                                                                  • Instruction Fuzzy Hash: 6C613A22B05F4AC5FB118BE1D8607A92760FB98FA8F148632DE0D97B94DE38D5C9C351
                                                                                                  Function 00007FFD65664090 Relevance: 10.6, APIs: 7, Instructions: 142COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MonitorWindow$From$InfoPointRect$Find
                                                                                                  • String ID:
                                                                                                  • API String ID: 2969468792-0
                                                                                                  • Opcode ID: 28d520fd46e6a450a8f3d6f9ca3a2d7ccd785e937793381680aa9034f5109025
                                                                                                  • Instruction ID: 6d9a49d36a6e91cfa6cd023673365618b37ac6207d2049c9d1412a2566e832a0
                                                                                                  • Opcode Fuzzy Hash: 28d520fd46e6a450a8f3d6f9ca3a2d7ccd785e937793381680aa9034f5109025
                                                                                                  • Instruction Fuzzy Hash: 88516A32B18906DFE724CFB8D8A46AC37B5FB84B48B154534DE48A7B48CE78E945CB40
                                                                                                  Function 00007FFD6569DE1C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryExW.KERNEL32(?,?,00000000,00007FFD6569E023,?,?,?,00007FFD6569AB36,?,?,?,00007FFD6569AAF1), ref: 00007FFD6569DEA1
                                                                                                  • GetLastError.KERNEL32(?,?,00000000,00007FFD6569E023,?,?,?,00007FFD6569AB36,?,?,?,00007FFD6569AAF1), ref: 00007FFD6569DEAF
                                                                                                  • LoadLibraryExW.KERNEL32(?,?,00000000,00007FFD6569E023,?,?,?,00007FFD6569AB36,?,?,?,00007FFD6569AAF1), ref: 00007FFD6569DED9
                                                                                                  • FreeLibrary.KERNEL32(?,?,00000000,00007FFD6569E023,?,?,?,00007FFD6569AB36,?,?,?,00007FFD6569AAF1), ref: 00007FFD6569DF47
                                                                                                  • GetProcAddress.KERNEL32(?,?,00000000,00007FFD6569E023,?,?,?,00007FFD6569AB36,?,?,?,00007FFD6569AAF1), ref: 00007FFD6569DF53
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                  • String ID: api-ms-
                                                                                                  • API String ID: 2559590344-2084034818
                                                                                                  • Opcode ID: 395a31ccfc8d9580cbc22548a9da8417bb1a8a367a659b40465e7ae359179efb
                                                                                                  • Instruction ID: 61b5a2667b969d4534baaa3addd42f4275e62186cccc8cba725e9bfb6f7b3ea0
                                                                                                  • Opcode Fuzzy Hash: 395a31ccfc8d9580cbc22548a9da8417bb1a8a367a659b40465e7ae359179efb
                                                                                                  • Instruction Fuzzy Hash: F731AF21B0AE4AD1EF119B82E82037923A4FF56FA4F594535DE5D0B790EE3CE480C340
                                                                                                  Function 00007FFD656661C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: #413$#412MessagePost
                                                                                                  • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarSd
                                                                                                  • API String ID: 691879527-1316455474
                                                                                                  • Opcode ID: e8ef062d3e4db97a608914cd394fefc2310a31697b317585529f458907ed4c07
                                                                                                  • Instruction ID: 5162112be36ab0e3bb5c2264984431a186456c1a6e77296ca00b3a69ea133b81
                                                                                                  • Opcode Fuzzy Hash: e8ef062d3e4db97a608914cd394fefc2310a31697b317585529f458907ed4c07
                                                                                                  • Instruction Fuzzy Hash: 7C216021B29E4AC5FB608B95F8A077962A4AF98F98F441035DA4E07B55DF3CE485C701
                                                                                                  Function 00007FFD656B0080 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value$ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 2506987500-0
                                                                                                  • Opcode ID: b6ce57b59bb366973f69267a6622476f5082e6942641958cea62566d32bfade2
                                                                                                  • Instruction ID: d51d010a83b0abb1e110b798c0d5a6ad085298ba3c4924c0646285f24deb4d69
                                                                                                  • Opcode Fuzzy Hash: b6ce57b59bb366973f69267a6622476f5082e6942641958cea62566d32bfade2
                                                                                                  • Instruction Fuzzy Hash: F1213924B0DE8AC1FB68A3E1E67137966A29F44FF0F144734D92E066D6EE2DA4D1C200
                                                                                                  Function 00007FFD656B9288 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                  • String ID: CONOUT$
                                                                                                  • API String ID: 3230265001-3130406586
                                                                                                  • Opcode ID: 7e15efb84d2b9ba58ea895313166d56808b3acfb4739f2d2abd5ad9eaa873fb7
                                                                                                  • Instruction ID: 54902b260d11324f3daceec3fc4fff6b08ec1eb4acb65cfe0ef36327cc13e799
                                                                                                  • Opcode Fuzzy Hash: 7e15efb84d2b9ba58ea895313166d56808b3acfb4739f2d2abd5ad9eaa873fb7
                                                                                                  • Instruction Fuzzy Hash: C9118131B18E45C6EB508B92E86432972B0FB98FE4F040234EA1D87794DF3DD594C780
                                                                                                  Function 00007FFD6567C0B0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40memorylibraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocHandleModuleProcProcess
                                                                                                  • String ID: RtlDisownModuleHeapAllocation$ntdll.dll
                                                                                                  • API String ID: 3242894177-704576883
                                                                                                  • Opcode ID: e12e3b4424fb9b3e7be58cb83f494a023fa11a41684acafc1630beb2eb937718
                                                                                                  • Instruction ID: f02fa7b64af0bd6e76c07958932305aec38cca16429492c9b4a4d3b1a477b178
                                                                                                  • Opcode Fuzzy Hash: e12e3b4424fb9b3e7be58cb83f494a023fa11a41684acafc1630beb2eb937718
                                                                                                  • Instruction Fuzzy Hash: 0701F724F09F8AC1FE949B92F86436463A1AF48F88F485836C96E47364DE3CE4D1C300
                                                                                                  Function 00007FFD656552E0 Relevance: 10.5, APIs: 7, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Unregister
                                                                                                  • String ID:
                                                                                                  • API String ID: 315482161-0
                                                                                                  • Opcode ID: 766d3c97c3d8b32cdde17675f46af760bfa5e6629d966a02d5b8d8db012bcc67
                                                                                                  • Instruction ID: af866b8586a2c906d7b5c0835a226d5d11abd7aa326af72d4b6c32012eee2977
                                                                                                  • Opcode Fuzzy Hash: 766d3c97c3d8b32cdde17675f46af760bfa5e6629d966a02d5b8d8db012bcc67
                                                                                                  • Instruction Fuzzy Hash: DF01A966B04D05C2EB459BA1D8653292325EB98F6DF104231CE2E463D9CF7CD8E5D290
                                                                                                  Function 00007FFD65687C60 Relevance: 9.1, APIs: 6, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$MenuPath$Foreground$InsertPopupProc$CreateCursorExtensionLongRemoveSpacesStripTrackUnquotewsprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 1129523998-0
                                                                                                  • Opcode ID: 5536128b1daad23b82ad7d33954240776bfc4c408024a79fe10b42f1552ac7ac
                                                                                                  • Instruction ID: bcfc59520e12fdb56d44dcc3e8bde71a961e9daf92810a5cbd1ccade27c6e5c7
                                                                                                  • Opcode Fuzzy Hash: 5536128b1daad23b82ad7d33954240776bfc4c408024a79fe10b42f1552ac7ac
                                                                                                  • Instruction Fuzzy Hash: 5431A025B09F5AC2FA208B96E42077963A4BF85FD0F584435DE4E177A4DE3DE582C310
                                                                                                  Function 00007FFD656896C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual$CreateInstance
                                                                                                  • String ID: xxxx
                                                                                                  • API String ID: 1177339427-1813341303
                                                                                                  • Opcode ID: cc53c8e5df5110962256a560091cd936376db5225e5abca9e0302b8971e7620c
                                                                                                  • Instruction ID: 3f96c15af3a6c051da32f233a6342630f68ce29168c689cfbe65f6df213675c8
                                                                                                  • Opcode Fuzzy Hash: cc53c8e5df5110962256a560091cd936376db5225e5abca9e0302b8971e7620c
                                                                                                  • Instruction Fuzzy Hash: 1F51AF31B18E5AC5EB508F92E8607A963A5EB85FA8F540136DA1C47BD0CF3DD985C700
                                                                                                  Function 00007FFD6565ED40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 95COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DisplayEnumInitializeMonitorsUninitialize
                                                                                                  • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced$TaskbarAl
                                                                                                  • API String ID: 3377822461-945323219
                                                                                                  • Opcode ID: 478e00b8775ee4d72d0e0fe872277ce1c2615b7ab29c70126ad11a32c3cf8a0d
                                                                                                  • Instruction ID: 9e53b1fe2a2d9991863fc37513aed4ae066e25c3437e3efa86b763317db87f71
                                                                                                  • Opcode Fuzzy Hash: 478e00b8775ee4d72d0e0fe872277ce1c2615b7ab29c70126ad11a32c3cf8a0d
                                                                                                  • Instruction Fuzzy Hash: 44417136B18F46C6EB508F94E4A436AB3A1FF84B54F540139E68E47694CF7CE885CB40
                                                                                                  Function 00007FFD6566B300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Create$_invalid_parameter_noinfo
                                                                                                  • String ID: ShellFolder$Software\Classes\CLSID\{2cc5ca98-6485-489a-920e-b3e88a6ccce3}
                                                                                                  • API String ID: 219255893-1186126643
                                                                                                  • Opcode ID: 160c85a51d7c2f97c26d74edd1f3fccc5c3839cbffdbea94e1dd0d9b430a8246
                                                                                                  • Instruction ID: 5f3a6a61792854c71bc754fe2a01845f05542ba1655ffa164f7333c518b2142f
                                                                                                  • Opcode Fuzzy Hash: 160c85a51d7c2f97c26d74edd1f3fccc5c3839cbffdbea94e1dd0d9b430a8246
                                                                                                  • Instruction Fuzzy Hash: 6441E936B18B85C6DB60CF56E45076AB3A5FB88B94F444235EA8D83B69DF3CD094CB00
                                                                                                  Function 00007FFD65672140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69comserviceCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CoCreateInstance.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6565E15D), ref: 00007FFD6567217F
                                                                                                  • IUnknown_QueryService.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6565E15D), ref: 00007FFD656721AA
                                                                                                  • WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6565E15D), ref: 00007FFD656721D6
                                                                                                  • WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFD6565E15D), ref: 00007FFD6567223D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateStringWindows$DeleteInstanceQueryReferenceServiceUnknown_
                                                                                                  • String ID: Windows.Internal.ShellExperience.ControlCenter
                                                                                                  • API String ID: 3704749038-1077972374
                                                                                                  • Opcode ID: 647ffeee28e4ad72aba8ac356ef0e6df38d2e9cd0da0b1fa311292e12554823d
                                                                                                  • Instruction ID: 2214ece7f7c73c7b94171470b99f04f9d49cbbd2d30eb35b647c86d91441e6b5
                                                                                                  • Opcode Fuzzy Hash: 647ffeee28e4ad72aba8ac356ef0e6df38d2e9cd0da0b1fa311292e12554823d
                                                                                                  • Instruction Fuzzy Hash: 3631E766719E4AC2EB40CFA5E46026AB370FB88F80F544432EA8E47B24CF7DD489C700
                                                                                                  Function 00007FFD65660DB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ItemMenu$Info$Count
                                                                                                  • String ID: P$[ROD]: Level %d Position %d/%d Status %d
                                                                                                  • API String ID: 4286743509-735391699
                                                                                                  • Opcode ID: f987482cfbea4847a29c21928f707ae859c3977e92baad314a07106812621335
                                                                                                  • Instruction ID: e705a8977972d860a88e56edfbad323c191d2780194529e99cabaee6779e0444
                                                                                                  • Opcode Fuzzy Hash: f987482cfbea4847a29c21928f707ae859c3977e92baad314a07106812621335
                                                                                                  • Instruction Fuzzy Hash: C9218071B18A46C6EB508F66E4A076A77A0FB89FD4F404034EA8E87745DF3DE485CB40
                                                                                                  Function 00007FFD6565F170 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual$CurrentInformationModuleProcess
                                                                                                  • String ID: x?xx?x?x????xxx
                                                                                                  • API String ID: 2643150895-841012870
                                                                                                  • Opcode ID: 0bd666689177ef10576290b0ee6228079ccc92fb039e1f91643e8c0ba8999389
                                                                                                  • Instruction ID: 93a4817021729b0838be0b38008edce35dbda44c800f03bc9c48ef77a80ebfe0
                                                                                                  • Opcode Fuzzy Hash: 0bd666689177ef10576290b0ee6228079ccc92fb039e1f91643e8c0ba8999389
                                                                                                  • Instruction Fuzzy Hash: 76118F65B58A4AC1FB609FA1E4247A67760EB88F94F844031EA4E07795DE3DE1C5CB00
                                                                                                  Function 00007FFD656A8778 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                  • Opcode ID: cab22331426e636fbbe918391b0261f4ead487ada66e5c9c54806ba359c7b5ed
                                                                                                  • Instruction ID: 99134855cb50b251520cf7452924b2522ff832c02f168665061f5a1d052c484d
                                                                                                  • Opcode Fuzzy Hash: cab22331426e636fbbe918391b0261f4ead487ada66e5c9c54806ba359c7b5ed
                                                                                                  • Instruction Fuzzy Hash: A7F0CD21B08E0AC2EF148BA0E86437A2370EF89FA1F500235CA6E4A6F4DF2DD0D4C700
                                                                                                  Function 00007FFD6569AE34 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AdjustPointer
                                                                                                  • String ID:
                                                                                                  • API String ID: 1740715915-0
                                                                                                  • Opcode ID: dbfc47f3c3864c2e196648dc36e94fb640cbc95c6c031ea35a22b63f29b1c6fd
                                                                                                  • Instruction ID: 7e8a31fde9b5101b5bb6c3e9250c8d74c991a829f552a75b767ab94e1dec8118
                                                                                                  • Opcode Fuzzy Hash: dbfc47f3c3864c2e196648dc36e94fb640cbc95c6c031ea35a22b63f29b1c6fd
                                                                                                  • Instruction Fuzzy Hash: 85B19F22F0EE4BC1EA659B95D5A0339A3D0EF66F84F098539DA5D077A5DE2CE4C2D300
                                                                                                  Function 00007FFD656807E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Handle$CloseProcess$AddressAllocCreateFreeModuleMutexProcReleaseSemaphore
                                                                                                  • String ID: wil
                                                                                                  • API String ID: 3215620834-1589926490
                                                                                                  • Opcode ID: a29d3fe7bb71c2c65fe5e28e0561425ce3c6b24ace175b7d8d8cc9ed5e2b8374
                                                                                                  • Instruction ID: 7d2a381c36c5f024f4bdac9251c65d00aca52d90f01e62c86255e5e9dec3b7f1
                                                                                                  • Opcode Fuzzy Hash: a29d3fe7bb71c2c65fe5e28e0561425ce3c6b24ace175b7d8d8cc9ed5e2b8374
                                                                                                  • Instruction Fuzzy Hash: C051A122B19B86C6EB208F61D56037A63A0FB98B94F045635DE8D43B55EF3CE0E0C700
                                                                                                  Function 00007FFD65652D20 Relevance: 7.6, APIs: 5, Instructions: 73windowtimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MessageSendTimeout$ShellWindow
                                                                                                  • String ID:
                                                                                                  • API String ID: 1795729329-0
                                                                                                  • Opcode ID: 8cb80d24ea8f3896bc2fb9eb5dbe75fbf6513dd04a35cf45ae4084f419bbd67d
                                                                                                  • Instruction ID: aecbeb6bf571502be8641038a284e387796b76f82de0ffc83580183df6491fe1
                                                                                                  • Opcode Fuzzy Hash: 8cb80d24ea8f3896bc2fb9eb5dbe75fbf6513dd04a35cf45ae4084f419bbd67d
                                                                                                  • Instruction Fuzzy Hash: E2312832618B8583E7608B54F85071EB6A5FB89B74F541335E6AD46AE8CF7CD581CB00
                                                                                                  Function 00007FFD656647E0 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CriticalSection$Leave$Enter
                                                                                                  • String ID:
                                                                                                  • API String ID: 2978645861-0
                                                                                                  • Opcode ID: d3125fde60b9e8771b2d5ec27363712c6d896e149078600850c9f6d35f10f85b
                                                                                                  • Instruction ID: 4eb34fdaf202a0aeafdd26d7265a4d16bb8132464c48fd1db8ec042ecc7b113f
                                                                                                  • Opcode Fuzzy Hash: d3125fde60b9e8771b2d5ec27363712c6d896e149078600850c9f6d35f10f85b
                                                                                                  • Instruction Fuzzy Hash: DE314025F1CE4AC2EB948F96E8F433567A1EB84F45F040039DA8D476A4DEADE8C4C741
                                                                                                  Function 00007FFD656B96D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _set_statfp
                                                                                                  • String ID:
                                                                                                  • API String ID: 1156100317-0
                                                                                                  • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                  • Instruction ID: f1fef38eed7822132c65c0d5b3f8fd80fb17575c8d7dc87da3932b33c48f2150
                                                                                                  • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                  • Instruction Fuzzy Hash: 18114F36F6CE0F81FE5419A4D5763752284AF79B6CE148634EA6E063D6CE2CA8E1C204
                                                                                                  Function 00007FFD656B02C0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FlsGetValue.KERNEL32(?,?,?,00007FFD656ABA17,?,?,00000000,00007FFD656ABCB2,?,?,?,?,?,00007FFD656ABC3E), ref: 00007FFD656B02DF
                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FFD656ABA17,?,?,00000000,00007FFD656ABCB2,?,?,?,?,?,00007FFD656ABC3E), ref: 00007FFD656B02FE
                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FFD656ABA17,?,?,00000000,00007FFD656ABCB2,?,?,?,?,?,00007FFD656ABC3E), ref: 00007FFD656B0326
                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FFD656ABA17,?,?,00000000,00007FFD656ABCB2,?,?,?,?,?,00007FFD656ABC3E), ref: 00007FFD656B0337
                                                                                                  • FlsSetValue.KERNEL32(?,?,?,00007FFD656ABA17,?,?,00000000,00007FFD656ABCB2,?,?,?,?,?,00007FFD656ABC3E), ref: 00007FFD656B0348
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID:
                                                                                                  • API String ID: 3702945584-0
                                                                                                  • Opcode ID: aaf86403c34e9556f308d35539dd04d29e1e9eae5800eb4d06ec95bafccd7f27
                                                                                                  • Instruction ID: 5f3f95c133a4b99e08f7deacab9f44db57cd764befb63f25f53e39f765283988
                                                                                                  • Opcode Fuzzy Hash: aaf86403c34e9556f308d35539dd04d29e1e9eae5800eb4d06ec95bafccd7f27
                                                                                                  • Instruction Fuzzy Hash: 21111A60F0DE4AC2FB5893A6E6A537965926F44FB0F084734EC2D066D6DE3DA4D2C600
                                                                                                  Function 00007FFD656B0154 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID:
                                                                                                  • API String ID: 3702945584-0
                                                                                                  • Opcode ID: 69fcf99ce4a02013613f39e3c2fe04a609e869aab94c3d15a8f7eb1b780ce5d5
                                                                                                  • Instruction ID: b7fc8340c738f4b566218b13bdcaca1035bfb11acf8244231cc1d33cfd3138c7
                                                                                                  • Opcode Fuzzy Hash: 69fcf99ce4a02013613f39e3c2fe04a609e869aab94c3d15a8f7eb1b780ce5d5
                                                                                                  • Instruction Fuzzy Hash: A911F564F09A4EC1FA5DA2E5D9723B921565F45BB0E184B34DC2E0A2C2DD2DB4D1C200
                                                                                                  Function 00007FFD65671FD0 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend$FindWindow$Parent
                                                                                                  • String ID:
                                                                                                  • API String ID: 2087735068-0
                                                                                                  • Opcode ID: f9ebecd665a18c49aa767cb12b92951465b36a616f935c5b42ecfedfb94529a4
                                                                                                  • Instruction ID: 1ac23e3dfd7936605255db501f43a8bd94baf2c6cbb278e099271fffb144c616
                                                                                                  • Opcode Fuzzy Hash: f9ebecd665a18c49aa767cb12b92951465b36a616f935c5b42ecfedfb94529a4
                                                                                                  • Instruction Fuzzy Hash: 29012DA0B09A47C2FF685BA2FC60B6616A0AF89F85F081035CE0E0BB95DE3DD1D1C704
                                                                                                  Function 00007FFD65651592 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLocal
                                                                                                  • String ID: ====================================$Description: %s$Here is the stack trace:$THIS IS NOT A BUG, A DELIBERATE STACK TRACE REQUEST HAS BEEN MADE
                                                                                                  • API String ID: 2826327444-1300954401
                                                                                                  • Opcode ID: 9935de65d3387abca4e96d201960c607a2d8a9e80ce1cc01ad4143c0e6beef0b
                                                                                                  • Instruction ID: b1522cc528f07dbd6cefbd771b1e1e707180943942ab9aec4700bd60a1d9c14b
                                                                                                  • Opcode Fuzzy Hash: 9935de65d3387abca4e96d201960c607a2d8a9e80ce1cc01ad4143c0e6beef0b
                                                                                                  • Instruction Fuzzy Hash: 4E01BB21F4CD4BD1FA54EBA5E4313B96260AF95F80F880131EA4E47296EF2DE9C5C700
                                                                                                  Function 00007FFD65651582 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLocal
                                                                                                  • String ID: ====================================$Description: %s$Here is the stack trace:$One or more of the parameters supplied is invalid
                                                                                                  • API String ID: 2826327444-753373920
                                                                                                  • Opcode ID: 9acb2dae790181f818bbe4b672f8462fddb5c2b354fd1e3e1433d059da9829e7
                                                                                                  • Instruction ID: 014e87a4ad9d226bf4b9857d72b43bb4181e8ff9ec353c99e3a77f41ae96e001
                                                                                                  • Opcode Fuzzy Hash: 9acb2dae790181f818bbe4b672f8462fddb5c2b354fd1e3e1433d059da9829e7
                                                                                                  • Instruction Fuzzy Hash: B401A821F48D4BD1FA14EBA5E4353B96260AF91F80F880131EA4E46296EE3DE9C4C600
                                                                                                  Function 00007FFD65651570 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLocal
                                                                                                  • String ID: ====================================$Description: %s$Here is the stack trace:$The requested procedure was not found
                                                                                                  • API String ID: 2826327444-1242647813
                                                                                                  • Opcode ID: 8d32ed0a3010ef7037d5ca19a3624a73681774dc3c4a1e7fb654fad612395195
                                                                                                  • Instruction ID: 904ffab99c3a330727f782daf6b081a7b707d8b2abae1b97d5977ffbebf81d90
                                                                                                  • Opcode Fuzzy Hash: 8d32ed0a3010ef7037d5ca19a3624a73681774dc3c4a1e7fb654fad612395195
                                                                                                  • Instruction Fuzzy Hash: 4601A821F48D4BD2FA14EBA5E4353B96260AF91F80F890131EA4E47296EE2DE9C4C610
                                                                                                  Function 00007FFD65651579 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLocal
                                                                                                  • String ID: ====================================$Description: %s$Here is the stack trace:$Unable to set the requested DPI awareness context
                                                                                                  • API String ID: 2826327444-4207243742
                                                                                                  • Opcode ID: 70fb9272e445c90bc8f8d3190402ae1bc4de90be4858217cc58789e4e0655a68
                                                                                                  • Instruction ID: 6a329d57bbe6647b73ec3ddebdd1dc677f3b883c64f17f4ab6cafbb0d0ae93ff
                                                                                                  • Opcode Fuzzy Hash: 70fb9272e445c90bc8f8d3190402ae1bc4de90be4858217cc58789e4e0655a68
                                                                                                  • Instruction Fuzzy Hash: F601A821F49D4BD1FA54EBA5E4313B96260AF95F80F880131EA4E46296EE2DE9C4C600
                                                                                                  Function 00007FFD6565155E Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLocal
                                                                                                  • String ID: ====================================$Description: %s$Functionality is not initialized$Here is the stack trace:
                                                                                                  • API String ID: 2826327444-176991105
                                                                                                  • Opcode ID: 2dc4ebf9e699fa44fb34d3104885ac7ef17f76a3c241014000f06cd076083ec6
                                                                                                  • Instruction ID: 4a8b22573d43c60b7f1451ee8eae58e7314a31dc1227fbf88d5814d0c49b63a1
                                                                                                  • Opcode Fuzzy Hash: 2dc4ebf9e699fa44fb34d3104885ac7ef17f76a3c241014000f06cd076083ec6
                                                                                                  • Instruction Fuzzy Hash: DA01A821F48D4BD2FA14EBA5E4353B96260AF91F90F880131EA4E47296EE2DE9C5C610
                                                                                                  Function 00007FFD65651567 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLocal
                                                                                                  • String ID: ====================================$Description: %s$Here is the stack trace:$The requested library is not available
                                                                                                  • API String ID: 2826327444-2487367941
                                                                                                  • Opcode ID: bf4a10bf6ebd6902b0d26f8649040d593c8226f065061233dff5b9b408b5c68b
                                                                                                  • Instruction ID: 9f96b80360c9ad073f019aa4d525a793ad54185c6ba500d4fa76712136d70bd9
                                                                                                  • Opcode Fuzzy Hash: bf4a10bf6ebd6902b0d26f8649040d593c8226f065061233dff5b9b408b5c68b
                                                                                                  • Instruction Fuzzy Hash: 4801BB21F4CD4BD2FA54EBA5E4313B96260AF91F80F880131EA4E47296EF2DE9C4C700
                                                                                                  Function 00007FFD65651555 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLocal
                                                                                                  • String ID: ====================================$Description: %s$Here is the stack trace:$Insufficient memory. Please close some applications and try again
                                                                                                  • API String ID: 2826327444-3218687599
                                                                                                  • Opcode ID: ce7f46ac78bc5d69090b6eefcc8d9dab21bcf7cd960718e50db7847a484f3db0
                                                                                                  • Instruction ID: 549b574b477cab2c089d38c437118e3cc164c1900e7f616c8f6739b500161bf1
                                                                                                  • Opcode Fuzzy Hash: ce7f46ac78bc5d69090b6eefcc8d9dab21bcf7cd960718e50db7847a484f3db0
                                                                                                  • Instruction Fuzzy Hash: 4901A821F48D4BD2FA54EBA5E4313B96260AF91F80F880131EA4E46296EE2DE9D4C600
                                                                                                  Function 00007FFD65651549 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLocal
                                                                                                  • String ID: ====================================$A generic error has occured$Description: %s$Here is the stack trace:
                                                                                                  • API String ID: 2826327444-2479978688
                                                                                                  • Opcode ID: e7cbb35f1ef09930126593368c0f15811d1152c054dc7665b9eede55fb0842f7
                                                                                                  • Instruction ID: b9c895f17ad5050ddb606f45968b82bae38f20d0bf57f0686cc2fa2600f114af
                                                                                                  • Opcode Fuzzy Hash: e7cbb35f1ef09930126593368c0f15811d1152c054dc7665b9eede55fb0842f7
                                                                                                  • Instruction Fuzzy Hash: 2D01A821F48D4BD2FA54EBA5E4313B96260AF91F80F880131EA4E46296EE2DE9D4C600
                                                                                                  Function 00007FFD656AA664 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                  • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                  • API String ID: 3215553584-1196891531
                                                                                                  • Opcode ID: 039c3f1fe8e93366c3df745e1d82cca0f290aaad0d53f647cbcc453f401cfce4
                                                                                                  • Instruction ID: e12e78933667b67f2833aa6ce3bb0c979847ca0a277ca0c1b7588330deaee165
                                                                                                  • Opcode Fuzzy Hash: 039c3f1fe8e93366c3df745e1d82cca0f290aaad0d53f647cbcc453f401cfce4
                                                                                                  • Instruction Fuzzy Hash: 9481AD76F08A4AC9FAA54FA5C17037D36A0EF11F48F558036CA4A57294DB2FE8C2D702
                                                                                                  Function 00007FFD656AA3A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                                  • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                  • API String ID: 3215553584-1196891531
                                                                                                  • Opcode ID: f6940c8d1d933eeda2c201bf02cfe38d995b17d80780a40a957b7f878ce835ce
                                                                                                  • Instruction ID: d5d9be1547445ca6b4a6f1a9113f17b37a79d011fe15e27654fb32dbfb4d8ff6
                                                                                                  • Opcode Fuzzy Hash: f6940c8d1d933eeda2c201bf02cfe38d995b17d80780a40a957b7f878ce835ce
                                                                                                  • Instruction Fuzzy Hash: 9B81A032F0CA4ACAF7A54EA8C2743783AD19F16F48F549037DA0E46695CE1FA8C2D705
                                                                                                  Function 00007FFD6569C1A8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CallEncodePointerTranslator
                                                                                                  • String ID: MOC$RCC
                                                                                                  • API String ID: 3544855599-2084237596
                                                                                                  • Opcode ID: edec2ee3303cf4d55f6f5952e775069c69c5d6bae5956a51bbbd40814079c7eb
                                                                                                  • Instruction ID: 6f9a4ab46b9eac92049c3f5b481ce78167587d441c31a258ca0b33644d741fac
                                                                                                  • Opcode Fuzzy Hash: edec2ee3303cf4d55f6f5952e775069c69c5d6bae5956a51bbbd40814079c7eb
                                                                                                  • Instruction Fuzzy Hash: 24918073B08B8ACAE710CBA5D8503AD7BA0F756B88F144126EA8D57B55DF38D195C700
                                                                                                  Function 00007FFD6569A6E4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 2395640692-1018135373
                                                                                                  • Opcode ID: 6a18b9169671f8b03adf3f6befaec6df78fd3a8f22c2917404d2314da2dd3802
                                                                                                  • Instruction ID: 303712fc11ad2fc662fad4771e9d554846f427ec2b714a6333b29547e87771c7
                                                                                                  • Opcode Fuzzy Hash: 6a18b9169671f8b03adf3f6befaec6df78fd3a8f22c2917404d2314da2dd3802
                                                                                                  • Instruction Fuzzy Hash: 3E519E22F19A0BCAEB548B55D564BB873E1EB65F88F118131DA5A47788DF7CE882C700
                                                                                                  Function 00007FFD6569C728 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                  • String ID: csm$csm
                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                  • Opcode ID: 77f46826cfc93509138ec7aa49e68eedde8716a4db2b7bd8a706ca1eb4480f8e
                                                                                                  • Instruction ID: 53964d68b4469e168899a4b2087fe715ba5ab36fa95777a66396e8ad11441655
                                                                                                  • Opcode Fuzzy Hash: 77f46826cfc93509138ec7aa49e68eedde8716a4db2b7bd8a706ca1eb4480f8e
                                                                                                  • Instruction Fuzzy Hash: 61517F32A08A8BCAFB648FA5D16436877A0EB66F94F144135DA9E47B85CF38E491C700
                                                                                                  Function 00007FFD656BB3A9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32 ref: 00007FFD656BB3F7
                                                                                                  • SysFreeString.OLEAUT32 ref: 00007FFD656BB4A4
                                                                                                    • Part of subcall function 00007FFD6567A7B0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000000,00007FFD6567B0AF,?,?,?,?,?,00000000,?,00007FFD6567B8AB), ref: 00007FFD6567A7D3
                                                                                                  • MultiByteToWideChar.KERNEL32 ref: 00007FFD656BB435
                                                                                                    • Part of subcall function 00007FFD6567FD70: GetProcessHeap.KERNEL32 ref: 00007FFD6567FD94
                                                                                                    • Part of subcall function 00007FFD6567FD70: HeapFree.KERNEL32 ref: 00007FFD6567FDA1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Heap$ByteCharFreeMultiProcessWide$String
                                                                                                  • String ID: W
                                                                                                  • API String ID: 3011908892-655174618
                                                                                                  • Opcode ID: 2d82b6daf02fe6883948aa1862e9b50e33fa8ed948814a6d9db24e1fdb96eef3
                                                                                                  • Instruction ID: 572c14eec6f233de3a904c056e775714747ff5c6ccf593c77ac3b010bdb78050
                                                                                                  • Opcode Fuzzy Hash: 2d82b6daf02fe6883948aa1862e9b50e33fa8ed948814a6d9db24e1fdb96eef3
                                                                                                  • Instruction Fuzzy Hash: A5318122704E4ACAE710DFA2D8607A96791FB84BE8F144238EA5D47BE9DF78C581C340
                                                                                                  Function 00007FFD6565E760 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24windowregistryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$ClassPostRegisterWindowWord
                                                                                                  • String ID: WorkerW
                                                                                                  • API String ID: 18795929-1267966093
                                                                                                  • Opcode ID: bfad77c09892389c4485814dd7a8db84c2d6af64fb75877e7e8f6b2b871da546
                                                                                                  • Instruction ID: def13cf142325f48712c802c92a9a1a1cb47a0f1c8663c68b9e0689007f8d3bd
                                                                                                  • Opcode Fuzzy Hash: bfad77c09892389c4485814dd7a8db84c2d6af64fb75877e7e8f6b2b871da546
                                                                                                  • Instruction Fuzzy Hash: 72F03720B08E9AC2FB4447A2F95477A6660EB84FD4F544131ED5E47B98CF2CD5D1C700
                                                                                                  Function 00007FFD65652CC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FindWindow
                                                                                                  • String ID: SHELLDLL_DefView$WorkerW
                                                                                                  • API String ID: 134000473-2583568628
                                                                                                  • Opcode ID: a02ce4a47e3722e1ce5a4372299e297887f462741f6c8008b449c0fe13cb0ebb
                                                                                                  • Instruction ID: db58da049894204b21a16a118000a4a8fee56f719144e001cc69e1dea88d2357
                                                                                                  • Opcode Fuzzy Hash: a02ce4a47e3722e1ce5a4372299e297887f462741f6c8008b449c0fe13cb0ebb
                                                                                                  • Instruction Fuzzy Hash: 8DE030A1B05F46C1FF695BE1FA64BA52361AF48F94F489035C90D06B54DE3CD4D4C300
                                                                                                  Function 00007FFD65672D00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                  • String ID: RaiseFailFastException$kernelbase.dll
                                                                                                  • API String ID: 1646373207-919018592
                                                                                                  • Opcode ID: 33f4f61da59ededdea6aefb74e35cd82206a814675d91858146eca4abc1f1d82
                                                                                                  • Instruction ID: 897455a387c6dd07823eda861e9280810139c54648818dab8693922b439a2582
                                                                                                  • Opcode Fuzzy Hash: 33f4f61da59ededdea6aefb74e35cd82206a814675d91858146eca4abc1f1d82
                                                                                                  • Instruction Fuzzy Hash: 48E06521B18B55C1EB548B52F9A02656360FF4CFC0B449535ED5D07B28CF3CD595C740
                                                                                                  Function 00007FFD656B1608 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                  • String ID:
                                                                                                  • API String ID: 2718003287-0
                                                                                                  • Opcode ID: 52c33f0f4fc68b1f3c2a3842e8bed91f01aab6976232962e0bdb7bd8e8fc79e4
                                                                                                  • Instruction ID: d897243f90a81dd1441e9adf74c52ddda1f9f5e3166368f9a157c46f032f5e44
                                                                                                  • Opcode Fuzzy Hash: 52c33f0f4fc68b1f3c2a3842e8bed91f01aab6976232962e0bdb7bd8e8fc79e4
                                                                                                  • Instruction Fuzzy Hash: D1D1D172F18A89D9EB10CFA5D4602AC37B1FB44B98F048235CE5D97B99DE38E596C340
                                                                                                  Function 00007FFD656B1FC8 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FFD656B1FB3), ref: 00007FFD656B20E4
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FFD656B1FB3), ref: 00007FFD656B216F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleErrorLastMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 953036326-0
                                                                                                  • Opcode ID: af5d92c1cace1781b7f55f6834ddc705f2db52580a797490cce788124f166c46
                                                                                                  • Instruction ID: 425a60b03c242ef7a6071a366403334891abfca3760013df7877393d22bd99f0
                                                                                                  • Opcode Fuzzy Hash: af5d92c1cace1781b7f55f6834ddc705f2db52580a797490cce788124f166c46
                                                                                                  • Instruction Fuzzy Hash: 83919262B18A59C5FF618FA5D8A03BD2BE0AB45F88F544139DE0E67695CE38D4D2C700
                                                                                                  Function 00007FFD6567CC90 Relevance: 6.2, APIs: 4, Instructions: 211memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Heap_invalid_parameter_noinfo$FreeProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 3364316771-0
                                                                                                  • Opcode ID: 161acb2dc217c73e48788f21060d856e356ab8a03b65c34d3ecce736ef945018
                                                                                                  • Instruction ID: 45ab8161963439b45e1ba29f760733713a37bbe0d49631f480f1bb0f00702f5f
                                                                                                  • Opcode Fuzzy Hash: 161acb2dc217c73e48788f21060d856e356ab8a03b65c34d3ecce736ef945018
                                                                                                  • Instruction Fuzzy Hash: B0816966B09E8BC5FB558F95E6243796BA6FB04F94F188031CA1E07795CE3DE4A6C300
                                                                                                  Function 00007FFD656620A0 Relevance: 6.1, APIs: 4, Instructions: 117windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: PerformanceQuery$#410#412CounterCursorFrequencyMenuPopupTrack
                                                                                                  • String ID:
                                                                                                  • API String ID: 2611046820-0
                                                                                                  • Opcode ID: d643d0bd10388fe8a0b7d2f11e0fabd89ccfb895c8e2f6bf83bf6eb96ad11376
                                                                                                  • Instruction ID: bed7c9680a06c4496ddd28602259c50d538dcd509cbbf1aab0394e4bb381c3ac
                                                                                                  • Opcode Fuzzy Hash: d643d0bd10388fe8a0b7d2f11e0fabd89ccfb895c8e2f6bf83bf6eb96ad11376
                                                                                                  • Instruction Fuzzy Hash: AB417376B0CA4AC6EB208B95E86076EA7A1FB85F90F500036DB4D57664CF3CE9C1CB41
                                                                                                  Function 00007FFD65662270 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: PerformanceQuery$#410#412CounterCursorFrequencyMenuPopupTrack
                                                                                                  • String ID:
                                                                                                  • API String ID: 2611046820-0
                                                                                                  • Opcode ID: 50d29e5d5d4cde36a68881f5cc577f9955b1ade5eb0b0abbcba982c4616bb6fa
                                                                                                  • Instruction ID: 56726e7f4ba1ef426bcc9c6a991b4d2381615daf03492f681d69af2b096de28e
                                                                                                  • Opcode Fuzzy Hash: 50d29e5d5d4cde36a68881f5cc577f9955b1ade5eb0b0abbcba982c4616bb6fa
                                                                                                  • Instruction Fuzzy Hash: 3C416C36F19A4AC6FB608B95E86176973A0FB85F84F500036E98E57654CF3CE9C1CB42
                                                                                                  Function 00007FFD6567F790 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExclusiveLock$AcquireRelease
                                                                                                  • String ID:
                                                                                                  • API String ID: 17069307-0
                                                                                                  • Opcode ID: 06dff6111a6ab23d7a8e5ebc3c04aa834feb7d5774efce5f54b4225c2b0d95b7
                                                                                                  • Instruction ID: 4957897367a36b0032f81e468c96e266f2261dc498c96986b64b1576effc692e
                                                                                                  • Opcode Fuzzy Hash: 06dff6111a6ab23d7a8e5ebc3c04aa834feb7d5774efce5f54b4225c2b0d95b7
                                                                                                  • Instruction Fuzzy Hash: DB217F22718B8AC1EB50DB61E5603ADA3A4FB88F84F584531EA8D83B59DF3CD591C700
                                                                                                  Function 00007FFD65691CF8 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2933794660-0
                                                                                                  • Opcode ID: eaa7e7bcf4fe3d42ae821e93649fc0302fd8afae25b3f1e7eaa4f26d506a1ee0
                                                                                                  • Instruction ID: 9eb01b75d5a65b9e1ccf308927224c58c940a835b7d293669b5618d579b01977
                                                                                                  • Opcode Fuzzy Hash: eaa7e7bcf4fe3d42ae821e93649fc0302fd8afae25b3f1e7eaa4f26d506a1ee0
                                                                                                  • Instruction Fuzzy Hash: 93111C26B15F05CAEB008FA0E8643B833B4F759B58F441A31DA6D467A4DF7CD1A4C340
                                                                                                  Function 00007FFD6565158B Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLocal
                                                                                                  • String ID: ====================================$Description: %s$Here is the stack trace:
                                                                                                  • API String ID: 2826327444-530566993
                                                                                                  • Opcode ID: f966af5b68ddf13da20e8f214a40d4c55b932213de1f3d731b12c39048192202
                                                                                                  • Instruction ID: bd4b7fa3745ac30b9052609cf91fc3187543cd1277d8480796c273f2705d8bf1
                                                                                                  • Opcode Fuzzy Hash: f966af5b68ddf13da20e8f214a40d4c55b932213de1f3d731b12c39048192202
                                                                                                  • Instruction Fuzzy Hash: 68F0C221F4CE4BC1FA54EB95E4313B96250AF55F40F480131EA8E47296EE2DE9C4C710
                                                                                                  Function 00007FFD6569CF9C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFrameInfo__except_validate_context_record
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 2558813199-1018135373
                                                                                                  • Opcode ID: 13fd3154715085dd0f014c0e559fa7e9ca83d2e20f6c5694adf46d1fc6ce1f7f
                                                                                                  • Instruction ID: 0f79ac15e9d9069a3b1af036f2044572a434bbc3b0c6eb9d624aaa9cd5500eae
                                                                                                  • Opcode Fuzzy Hash: 13fd3154715085dd0f014c0e559fa7e9ca83d2e20f6c5694adf46d1fc6ce1f7f
                                                                                                  • Instruction Fuzzy Hash: E5512B32B19B4AC6E620AB65E55036E77F4FB9ABA0F140135EB8D07B55CF38E491CB01
                                                                                                  Function 00007FFD656B1CA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                  • String ID: U
                                                                                                  • API String ID: 442123175-4171548499
                                                                                                  • Opcode ID: 4ef2fec41d66e7b0c39bf9e201830508b86a8f97eaffa894a0546182e11c999c
                                                                                                  • Instruction ID: cc70c244dcc22d9730009962ec265cec2334954575877bb9ad02418d731ec773
                                                                                                  • Opcode Fuzzy Hash: 4ef2fec41d66e7b0c39bf9e201830508b86a8f97eaffa894a0546182e11c999c
                                                                                                  • Instruction Fuzzy Hash: B241C332B18E45D2DF208FA5E4643A967A1FB98B94F504031EE4D87798EF3CD491CB40
                                                                                                  Function 00007FFD6567B280 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetErrorInfo.OLEAUT32(?,?,?,?,?,?,00000000,00007FFD6567B0F7,?,?,?,?,?,00000000,?,00007FFD6567B8AB), ref: 00007FFD6567B2FF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorInfo
                                                                                                  • String ID: RoOriginateLanguageException$combase.dll
                                                                                                  • API String ID: 3619768924-3996158991
                                                                                                  • Opcode ID: e60ef14456e3047da3f2c892e6cd504dd856c1c0403d603dd25a02e37ffad9df
                                                                                                  • Instruction ID: 5f8673b0db0f8b3b2fe7517d7ddf5a2a06a34a701ac582e2bb381eaade6351d8
                                                                                                  • Opcode Fuzzy Hash: e60ef14456e3047da3f2c892e6cd504dd856c1c0403d603dd25a02e37ffad9df
                                                                                                  • Instruction Fuzzy Hash: F9315021B19F4AC1EE509F95E4A036A63A1FF88F94F885536E94E43765EF3CE581C700
                                                                                                  Function 00007FFD656611D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ClassName
                                                                                                  • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                                                                                                  • API String ID: 1191326365-1433838494
                                                                                                  • Opcode ID: b22c615c0da057ef35e7aeab3f088705a148a953072d4d545ca362a7cbbeb7c8
                                                                                                  • Instruction ID: 89e1c6d63d29151aad72f7212524dfb85aa8037c149a8dfa4ba72786dc519e60
                                                                                                  • Opcode Fuzzy Hash: b22c615c0da057ef35e7aeab3f088705a148a953072d4d545ca362a7cbbeb7c8
                                                                                                  • Instruction Fuzzy Hash: 9D21C526B09949C2FBA49B96E4247B933A1FB99FA0F848132DD4E42694DF3CD4C5C701
                                                                                                  Function 00007FFD656610B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ClassName
                                                                                                  • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                                                                                                  • API String ID: 1191326365-1433838494
                                                                                                  • Opcode ID: 6f5b0a9fa536abe2cebf4cef4adad2a9baaaccd021e20a6075825a4ab522f35a
                                                                                                  • Instruction ID: b59dbb82054428c29a92c06ac98038250628c34356b4fe8caa95aab1a380bd8e
                                                                                                  • Opcode Fuzzy Hash: 6f5b0a9fa536abe2cebf4cef4adad2a9baaaccd021e20a6075825a4ab522f35a
                                                                                                  • Instruction Fuzzy Hash: FA21F726B19949C2F7A49B95E8247B97361FB99FA0F848132DD4D02794DF3CD4C5C301
                                                                                                  Function 00007FFD65660F90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ClassName
                                                                                                  • String ID: Shell_SecondaryTrayWnd$Shell_TrayWnd
                                                                                                  • API String ID: 1191326365-1433838494
                                                                                                  • Opcode ID: 7d690eed00541a1a3ff21cdf48d907f9b93627d4f5d46ef50a0d13f3d631b697
                                                                                                  • Instruction ID: 0f818e6eb682224f6ec77a4f23a4f1282a82a6ad7ea32195df96b4d688ca5715
                                                                                                  • Opcode Fuzzy Hash: 7d690eed00541a1a3ff21cdf48d907f9b93627d4f5d46ef50a0d13f3d631b697
                                                                                                  • Instruction Fuzzy Hash: 8D21D726B09989C2FA649B95E4247B93361FB99FA0F848132DD4E02794DF3CD4C5C301
                                                                                                  Function 00007FFD6566B4B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CacheFlushValue_invalid_parameter_noinfo
                                                                                                  • String ID: Attributes
                                                                                                  • API String ID: 3611136396-2126945696
                                                                                                  • Opcode ID: 61f8949d13c83116c11eca864c0a5fa46b1603fb9721b1164daadc07d62b2ca3
                                                                                                  • Instruction ID: c1e1d8bf6ebfcd819711d36879f90fe3f5d893763d35e43329dd30d163bb9474
                                                                                                  • Opcode Fuzzy Hash: 61f8949d13c83116c11eca864c0a5fa46b1603fb9721b1164daadc07d62b2ca3
                                                                                                  • Instruction Fuzzy Hash: AF115C36B09E89C6EB60DF55E86076677A0AB48F98F440035ED4D47B65EF3CE491CB00
                                                                                                  Function 00007FFD65668590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual$AddressHandleModuleOpenProcQueryValue
                                                                                                  • String ID: xx????xxx????xxxxx
                                                                                                  • API String ID: 1029361184-12075917
                                                                                                  • Opcode ID: 84be14ec43e9f9d8511ac0f712018cbc1a22bb8046b369e59bee89df6206f83a
                                                                                                  • Instruction ID: f8f39e54f8d03d50bf856ebc05f9bf0d8b14234df70fd33c80910feea64dca9f
                                                                                                  • Opcode Fuzzy Hash: 84be14ec43e9f9d8511ac0f712018cbc1a22bb8046b369e59bee89df6206f83a
                                                                                                  • Instruction Fuzzy Hash: A4214A24F09E8AC6FB60DFA1E42576623A1BF96F48F444035D94D426A4DF3CE5C4CB02
                                                                                                  Function 00007FFD6566FCB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • $start.tilegrid$windows.data.curatedtilecollection.tilecollection\Current, xrefs: 00007FFD6566FCCE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Open
                                                                                                  • String ID: $start.tilegrid$windows.data.curatedtilecollection.tilecollection\Current
                                                                                                  • API String ID: 71445658-2485209836
                                                                                                  • Opcode ID: 31070c82b62bc71c7a479a78f4de297f3264b8cf6f54855808b177f40f462745
                                                                                                  • Instruction ID: adbe4ea92ef1ebb3cb911cb96d04ebb402d941494750503cfdc7a0ab005052c8
                                                                                                  • Opcode Fuzzy Hash: 31070c82b62bc71c7a479a78f4de297f3264b8cf6f54855808b177f40f462745
                                                                                                  • Instruction Fuzzy Hash: D8010526B18F89C1DB148B42F85012AB3A5FB89FC4F540125EE8D47B69DF3DE491CB00
                                                                                                  Function 00007FFD6566D7F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32registrystringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Valuelstrcmp
                                                                                                  • String ID: ReplaceVan
                                                                                                  • API String ID: 372169353-130473729
                                                                                                  • Opcode ID: a9a3f3f434d355c5e894d57583558c5d7c681a3fa1c53be222b2ad6a79273646
                                                                                                  • Instruction ID: a1a8af065ad6205876ded68e5921f2cecb9cfaab41eda7c4da6d47ac000b4f48
                                                                                                  • Opcode Fuzzy Hash: a9a3f3f434d355c5e894d57583558c5d7c681a3fa1c53be222b2ad6a79273646
                                                                                                  • Instruction Fuzzy Hash: DAF0D632B08B85C2EB508B5AF44021AA7A4F788BD4F584125EB8D47B28DF7CD496CB04
                                                                                                  Function 00007FFD6565F230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value
                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerPatcher$XamlSounds
                                                                                                  • API String ID: 3702945584-1822384862
                                                                                                  • Opcode ID: 2f85c276816b64db271d63056cae849b9d62bd88adbcb79f71df07118e0746e8
                                                                                                  • Instruction ID: d98282f908737604b48b7f1e62a099ebc16abaadb11998b1362a86ff50e4456e
                                                                                                  • Opcode Fuzzy Hash: 2f85c276816b64db271d63056cae849b9d62bd88adbcb79f71df07118e0746e8
                                                                                                  • Instruction Fuzzy Hash: 73F03C72618A45C6EB108F54F49429A73B4FB89B54FD0023AE79D06B58DF3DD595CB00
                                                                                                  Function 00007FFD656902A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message
                                                                                                  • String ID: 0
                                                                                                  • API String ID: 2030045667-4108050209
                                                                                                  • Opcode ID: 011ec22fce94ba3ff84e82e6c18522a1931c76968a3f17c017fed1cbe9ec85c1
                                                                                                  • Instruction ID: 21e6ffc7a4397bc56f91b90a203407bc7a4ae2cb50fc97bf6c9d2dfa3aefbe32
                                                                                                  • Opcode Fuzzy Hash: 011ec22fce94ba3ff84e82e6c18522a1931c76968a3f17c017fed1cbe9ec85c1
                                                                                                  • Instruction Fuzzy Hash: 2DF01C71B18B46C2EB249B94F46532AB3B0FB89B58F900125D68D0A754DFBDD195CB00
                                                                                                  Function 00007FFD6565F6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ModuleProtectVirtual$CurrentHandleInformationLibraryLoadProcess
                                                                                                  • String ID: Windows.UI.Xaml.dll
                                                                                                  • API String ID: 3223347177-2173645706
                                                                                                  • Opcode ID: 83c6e07b6ed7201ee886327af6e0a44253c6d043d4bfed3b76930e47fd0731fe
                                                                                                  • Instruction ID: 8ee10834175152093c76e517d024b9ed5e7580d4fafae5a00b4b65558c25e920
                                                                                                  • Opcode Fuzzy Hash: 83c6e07b6ed7201ee886327af6e0a44253c6d043d4bfed3b76930e47fd0731fe
                                                                                                  • Instruction Fuzzy Hash: BAD06251F5AE0EC1FE255791D87537551619F59F51B481034C91E0D3A1EE2CE4D5C610
                                                                                                  Function 00007FFD6565E7C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.11955328548.00007FFD65651000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFD65650000, based on PE: true
                                                                                                  • Associated: 0000000C.00000002.11955300961.00007FFD65650000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955389788.00007FFD656BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955418560.00007FFD656EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955439245.00007FFD656EB000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955462765.00007FFD656F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955489974.00007FFD656F2000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955507911.00007FFD656F8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                  • Associated: 0000000C.00000002.11955527575.00007FFD656FB000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_7ffd65650000_explorer.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$FindProcessThread
                                                                                                  • String ID: ApplicationManager_ImmersiveShellWindow
                                                                                                  • API String ID: 3928697162-213675812
                                                                                                  • Opcode ID: 785884996038eb07269ece9f2aac681ad31a3c997a130d15eced3052a72fa19b
                                                                                                  • Instruction ID: b0f63f2fa541404c19534632fd65684f97e9c8cf1fe9603530ff011aad8619f1
                                                                                                  • Opcode Fuzzy Hash: 785884996038eb07269ece9f2aac681ad31a3c997a130d15eced3052a72fa19b
                                                                                                  • Instruction Fuzzy Hash: BFD01265F09F06C2FB18ABB2E8607751672AB89B40F808435C80F06654DE3C91D5C300