Windows Analysis Report
S1Rv3ioghk.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4228

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\659d486c-a0d5-4a62-a59f-e6d7b1b1d752

Source: S1Rv3ioghk.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\S1Rv3ioghk.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\S1Rv3ioghk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: S1Rv3ioghk.exe	ReversingLabs: Detection: 65%
Source: S1Rv3ioghk.exe	Virustotal: Detection: 66%

Source: C:\Users\user\Desktop\S1Rv3ioghk.exe

File read: C:\Users\user\Desktop\S1Rv3ioghk.exe

Source: unknown	Process created: C:\Users\user\Desktop\S1Rv3ioghk.exe "C:\Users\user\Desktop\S1Rv3ioghk.exe"
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 852
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Jump to behavior

Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: yyzybase.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: cscapi.dll	Jump to behavior

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Source: wps_lid.lid-s8HDMqE8a6Xy.exe.lnk.4.dr

LNK file: ..\..\Public\Bulete\wps_lid.lid-s8HDMqE8a6Xy.exe

Source: S1Rv3ioghk.exe

Static file information: File size 4477216 > 1048576

Source:	Binary string: C:\buildslave\unity\build\artifacts\WindowsPlayer\Win32_VS2019_nondev_i_r\WindowsPlayer_Master_il2cpp_x86.pdb source: S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002B7D000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, ShellExperienceHosts.exe, 00000004.00000000.2055889218.000000000040C000.00000002.00000001.01000000.00000005.sdmp, ShellExperienceHosts.exe.0.dr
Source:	Binary string: ?COMCTL32.dllWINHTTP.dllcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMLoad file into cachecrypto\x509\by_file.cunspecified certificate verification errorunable to get issuer certificateunable to get certificate CRLunable to decrypt certificate's signatureunable to decrypt CRL's signatureunable to decode issuer public keycertificate signature failureCRL signature failurecertificate is not yet validcertificate has expiredCRL is not yet validCRL has expiredformat error in certificate's notBefore fieldformat error in certificate's notAfter fieldformat error in CRL's lastUpdate fieldformat error in CRL's nextUpdate fieldout of memoryself signed certificateself signed certificate in certificate chainunable to get local issuer certificateunable to verify the first certificatecertificate chain too longcertificate revokedinvalid CA certificatepath length constraint exceededunsupported certificate purposecertificate not trustedcertificate rejectedsubject issuer mismatchauthority and subject key identifier mismatchauthority and issuer serial number mismatchkey usage does not include certificate signingunable to get CRL issuer certificateunhandled critical extensionkey usage does not include CRL signingunhandled critical CRL extensioninvalid non-CA certificate (has CA markings)proxy path length constraint exceededkey usage does not include digital signatureproxy certificates not allowed, please set the appropriate flaginvalid or inconsistent certificate extensioninvalid or inconsistent certificate policy extensionno explicit policyDifferent CRL scopeUnsupported extension featureRFC 3779 resource not subset of parent's resourcespermitted subtree violationexcluded subtree violationname constraints minimum and maximum not supportedapplication verification failureunsupported name constraint typeunsupported or invalid name constraint syntaxunsupported or invalid name syntaxCRL path validation errorPath LoopSuite B: certificate version invalidSuite B: invalid public key algorithmSuite B: invalid ECC curveSuite B: invalid signature algorithmSuite B: curve not allowed for this LOSSuite B: cannot sign P-384 with P-256Hostname mismatchEmail address mismatchIP address mismatchNo matching DANE TLSA recordsEE certificate key too weakCA certificate key too weakCA signature digest algorithm too weakInvalid certificate verification contextIssuer certificate lookup errorCertificate Transparency required, but no valid SCTs foundproxy subject name violationOCSP verification neededOCSP verification failedOCSP unknown certCertificate public key has explicit ECC parametersunknown certificate verification errorcrypto\asn1\x_info.ccrypto\pem\pem_info.cRSA P
Source:	Binary string: H:\func_v12_i18n_202411_branch\Build\Release\WPSOffice\office6\addons\konlinesetup_xa\konlinesetup_xa.pdb source: S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr

Source: initial sample

Static PE information: section where entry point is pointing to: .tp6d

Source: S1Rv3ioghk.exe	Static PE information: real checksum: 0x69041 should be: 0x44b1e8
Source: yyzyBase.dll.0.dr	Static PE information: real checksum: 0x3b14ca should be: 0x3bb6cb

Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6a
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6d
Source: yyzyBase.dll.0.dr	Static PE information: section name: .00cfg

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 4_2_6C7C12AA push ecx; ret

4_2_6C7C12BD

Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6 entropy: 7.9916235972250025
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6d entropy: 7.90195668192099

Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	File created: C:\Users\Public\Bulete\program\yyzyBase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	File created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Jump to dropped file
Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	File created: C:\Users\Public\Bulete\wps_lid.lid-s8HDMqE8a6Xy.exe	Jump to dropped file

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C76CCDF IsWindowVisible,IsWindowVisible,GetWindowRect,IsIconic,CopyRect,MonitorFromPoint,GetMonitorInfoW,CopyRect,CopyRect,SystemParametersInfoW,OffsetRect,GetSystemMetrics,GetSystemMetrics,	4_2_6C76CCDF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C712E3D SetForegroundWindow,IsIconic,PostMessageW,IsIconic,	4_2_6C712E3D
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C712E3D SetForegroundWindow,IsIconic,PostMessageW,IsIconic,	4_2_6C712E3D
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C710BFE IsIconic,	4_2_6C710BFE
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C76B422 GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,SaferiSearchMatchingHashRules,	4_2_6C76B422
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C763428 IsWindowVisible,IsIconic,	4_2_6C763428
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C76D4B8 IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	4_2_6C76D4B8
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C76D4B8 IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	4_2_6C76D4B8
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C76D4B8 IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	4_2_6C76D4B8
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C76D5D3 IsWindowVisible,ScreenToClient,IsIconic,GetSystemMetrics,PtInRect,PtInRect,GetSystemMetrics,PtInRect,	4_2_6C76D5D3
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C76B6ED IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,	4_2_6C76B6ED
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C6FF7F4 IsIconic,GetClientRect,	4_2_6C6FF7F4
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C76D7DC IsIconic,PostMessageW,	4_2_6C76D7DC

Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\S1Rv3ioghk.exe

Dropped PE file which has not been started: C:\Users\Public\Bulete\wps_lid.lid-s8HDMqE8a6Xy.exe

Jump to dropped file

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

API coverage: 2.3 %

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 1848

Thread sleep time: -73000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Last function: Thread delayed

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 4_2_6C7DC637 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,

4_2_6C7DC637

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Thread delayed: delay time: 73000

Source: S1Rv3ioghk.exe	Binary or memory string: Hyper-V enabled!UEFI Secure Variables (VbsPolicy)
Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: S1Rv3ioghk.exe	Binary or memory string: Hyper-V not available
Source: S1Rv3ioghk.exe	Binary or memory string: Hyper-V Hypervisor running: %i
Source: S1Rv3ioghk.exe	Binary or memory string: XThe system has not the required hardware support (SLAT, VMX, ...) to run the Hypervisor.#Hyper-V hypervisor is not running.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: S1Rv3ioghk.exe	Binary or memory string: Hyper-V not started
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Process information queried: ProcessInformation

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Process queried: DebugPort

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 4_2_004A152F LdrInitializeThunk,

4_2_004A152F

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 4_2_6C7BEEF7 IsDebuggerPresent,OutputDebugStringW,

4_2_6C7BEEF7

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 4_2_6C702FB6 OutputDebugStringA,GetLastError,

4_2_6C702FB6

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 4_2_6C6D287A GetProcessHeap,

4_2_6C6D287A

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C7C0526 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C7C0526
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C87C288 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C87C288
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 4_2_6C7ED34B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6C7ED34B

Source: C:\Users\user\Desktop\S1Rv3ioghk.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe C:\Users\Public\Bulete\program\ShellExperienceHosts.exe			Jump to behavior

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,	4_2_6C7C2B58
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	4_2_6C8904C8
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_6C8905BA
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	4_2_6C890513
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	4_2_6C8906C0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	4_2_6C8900A6
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	4_2_6C88602B
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_6C890141
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	4_2_6C890394
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	4_2_6C8903F3
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_6C88FE55
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	4_2_6C885A0C

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 4_2_6C87D26F GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

4_2_6C87D26F

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 4_2_6C8862A6 GetTimeZoneInformation,

4_2_6C8862A6

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 4_2_6C7FC456 __EH_prolog3_GS,GetVersionExW,CoInitializeEx,CoCreateInstance,

4_2_6C7FC456

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	12 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
S1Rv3ioghk.exe	66%	ReversingLabs	Win32.Trojan.DllHijack
S1Rv3ioghk.exe	67%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	0%	ReversingLabs
C:\Users\Public\Bulete\program\yyzyBase.dll	83%	ReversingLabs	Win32.Trojan.DllHijack
C:\Users\Public\Bulete\wps_lid.lid-s8HDMqE8a6Xy.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://http_.index.inicert_detailis_cached_fileverify_cert_failedKOnlineSetupImpl::__generateCacheF	0%	Avira URL Cloud	safe
http://dw-collect-debug.ksord.com)datesign_eventslocal	0%	Avira URL Cloud	safe
https://event.wps.comdynamicParamFinishTagt1_app_start_p_st_sv_app_gid_did_hdid3_aid_ut_rid_av_ch_db	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0#	0%	Avira URL Cloud	safe
https://s.wps.comshortLinkUrlshortlink/short-link/queryshort_link_code=geterr_signAuthorizationdevic	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.wps.com/eula	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high
https://sectigo.com/CPS0	S1Rv3ioghk.exe, yyzyBase.dll.0.dr	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	S1Rv3ioghk.exe, yyzyBase.dll.0.dr	false		high
http://ocsp.sectigo.com0	S1Rv3ioghk.exe, yyzyBase.dll.0.dr	false		high
https://curl.se/docs/http-cookies.html	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high
https://event.wps.comdynamicParamFinishTagt1_app_start_p_st_sv_app_gid_did_hdid3_aid_ut_rid_av_ch_db	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	S1Rv3ioghk.exe, yyzyBase.dll.0.dr	false		high
https://params.wps.com/api/map/online_params/webparam_mig/onlineParamByFunc?funcName=&version=&chann	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high
http://dw-collect-debug.ksord.com)datesign_eventslocal	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false		high
https://http_.index.inicert_detailis_cached_fileverify_cert_failedKOnlineSetupImpl::__generateCacheF	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://s.wps.comshortLinkUrlshortlink/short-link/queryshort_link_code=geterr_signAuthorizationdevic	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://www.wps.com/privacy-policy	wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	S1Rv3ioghk.exe, yyzyBase.dll.0.dr	false		high
https://curl.se/docs/alt-svc.html	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high
http://ocsp.sectigo.com0#	S1Rv3ioghk.exe, yyzyBase.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/package/SOFTWARE	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high
https://curl.se/docs/hsts.html	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	S1Rv3ioghk.exe, yyzyBase.dll.0.dr	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	S1Rv3ioghk.exe, yyzyBase.dll.0.dr	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	S1Rv3ioghk.exe, yyzyBase.dll.0.dr	false		high
http://dw-online.ksosoft.com/api/dynamicParam/v3/app/2.9.0dcsdk_eventv3.dbdcsdk_dpv3.data10C	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high
http://ic.wps.cn/wpsv6internet/infos.ads?v=D1S1E1&d=kdcsdk_infoc/wps/client/appcountrycodelastupdate	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high
http://en.ksupdate.com/errorreport/uphttps://en.ksupdate.com/errorreport/up-crashdmp	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high
https://www.wps.com/eulaprivacy_policylicense_agreementlabelTitleMsg_Wps_OnlineSetup_TaskMsgMsg_Wps_	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high
https://params.wps.com/api/map/online_params/webparam_mig/onlineParamByFunc?funcName=	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high
https://website-prod.cache.wpscdn.com/pkgs/win/setup_XA_mui_Free.exeSOFTWARE	S1Rv3ioghk.exe, 00000000.00000003.2050804916.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581258
Start date and time:	2024-12-27 09:11:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	S1Rv3ioghk.exe renamed because original name is a hash value
Original Sample Name:	FD7EC2C34E2593E4D606E0A9D37E257A.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@7/10@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 36 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.181.5, 40.126.53.9, 40.126.53.7, 40.126.53.10, 20.231.128.65, 20.231.128.66, 40.126.53.19, 20.190.181.1, 52.182.143.212, 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target S1Rv3ioghk.exe, PID 4464 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:12:42	API Interceptor	1x Sleep call for process: ShellExperienceHosts.exe modified
03:13:10	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	TEKujpTgCK.exe	Get hash	malicious	Unknown	Browse
C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	TEKujpTgCK.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ShellExperienceH_9ebf27faaf6a430edb59dfc1b8a825429b7f435_1781b6b3_b57b74fb-7dcd-4d53-a160-00324adff80c\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.987482460062348
Encrypted:	false
SSDEEP:	192:/YzuLn0BU/oj4+ZrFpuzuiFdOZ24IO8m:QzuL0BU/ojwzuiFdOY4IO8m
MD5:	A6CBD31BC35A27049FB2C73CA828B8D2
SHA1:	B7A7EE42CE20F5CABBCD684FD94087C4AADBF4C2
SHA-256:	427FB044D643DE8A2BE06A94F63E50C10A8DA96A7254C65DE0499D504A4CDED0
SHA-512:	3CAEF9540CC61D6B2091A1877760546CB5DCAE211C74D3B242D229A1D4AC73BC0C051D6761015718642BAD0DFCA57F8C0CFBC0DAEF360956C41517470B217363
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.7.6.0.7.6.3.5.9.4.6.4.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.7.6.0.7.6.4.0.4.7.7.6.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.7.b.7.4.f.b.-.7.d.c.d.-.4.d.5.3.-.a.1.6.0.-.0.0.3.2.4.a.d.f.f.8.0.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.5.2.3.2.c.2.-.b.b.3.f.-.4.9.c.2.-.b.8.e.d.-.6.0.0.e.d.2.0.f.7.0.6.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.h.e.l.l.E.x.p.e.r.i.e.n.c.e.H.o.s.t.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.8.4.-.0.0.0.1.-.0.0.1.4.-.9.2.0.6.-.f.b.1.9.3.7.5.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.c.f.c.b.3.c.8.9.5.5.4.9.d.a.1.a.b.6.8.b.3.5.e.f.d.3.1.d.2.d.5.0.0.0.0.0.9.0.4.!.0.0.0.0.7.8.4.d.3.e.d.3.5.d.0.4.0.0.9.1.a.e.2.0.9.7.9.2.e.2.f.a.8.f.c.9.7.e.e.6.a.0.7.1.!.S.h.e.l.l.E.x.p.e.r.i.e.n.c.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5429.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Dec 27 08:12:43 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	61664
Entropy (8bit):	1.8786683522054242
Encrypted:	false
SSDEEP:	192:BTyNrX4QZQM4CUmOhUrIyzA+W7yAfskcLM7Wi2pOaRixj7tFtOTcMbA:1y6Q2M4CUxEIk0gmaAxnFOoiA
MD5:	C22AF7694FB500999E7E8DEE00D7A223
SHA1:	D8445660E95DA2A43230B644A5E70BB4F93A2517
SHA-256:	E4761931555B02DD48256AA9EA9AD79B3D92DF71B58DF3B3C21EA4A960C2C8ED
SHA-512:	29E59C9AFF4C641913A752220C320E4DC440189175C5856F046FDA16433C60FABF29426F7B59F5D9EFC01AA218DEA2D0047D0C60F1AAC03D330F53457383EF41
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......{ang............$...............,............9..........T.......8...........T............$..@...........H...........4...............................................................................eJ..............GenuineIntel............T...........yang.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER54F5.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6390
Entropy (8bit):	3.7190354641963057
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbmx6DgY1QE/kM45aM4Un89bPUYsfbF9Cm:R6l7wVeJmx6DgY14prn89bMYsfbFEm
MD5:	08FC333B551227010103EC656A175D2E
SHA1:	8604A8A325024BE1540F2F0FE4AE19FEBDE23B8D
SHA-256:	FBC5C82651686E3F6780469933EDA51D48DABFF2E990BB1EBDA4A34DD214BF44
SHA-512:	295033B3E074B2F24A54119E185660AB80A446AC76FF86AEE956DDDD2627D7BAD6D08800D1891FABC3197772932DD161EF31C0AFFB8F3D569D2B11525A77B175
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5525.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4685
Entropy (8bit):	4.4998322296935696
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI9yNWpW8VYpYm8M4JAtPztrFW+q8AtztBX14LKuhDUd:uIjfQI7g87VBJAtLtMBtztL4uutUd
MD5:	8F33BA805A22EE360497BE393B9A78D1
SHA1:	CEDD5ED56C35200D614B0CC6D4FC43D5B1014717
SHA-256:	9F653D43778497AAB6513681A7379F1DC82085042CDB6177D35D86576F175609
SHA-512:	0F91A40BA4F4061B3E989B86310558239D34CBD21FC67FEBEA51C4C1064BC2573E8E9C1728E049828849B647F7E96C4C65DAF5551BB5DA032850D2CE0398C2CA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="649395" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\Public\Bulete\program\IOVAS

Process:	C:\Users\user\Desktop\S1Rv3ioghk.exe
File Type:	openssl enc'd data with salted password, base64 encoded
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.234069531114784
Encrypted:	false
SSDEEP:	3:iqkHHQwRS2k0OGad+FLin:ilnQwRSDnWLi
MD5:	E2FA2D0BD626C372F9EFA15C317F46B1
SHA1:	1CAA48FE6CA1483AE9A725E76D0D818051A72371
SHA-256:	39C5EC16491E480806D170BD2A8BC2C37623E55412088ED11F21DE7D9146CA73
SHA-512:	115A02EE1C1EF7A8CF2854969343813928C187DF0BB9CD1DE832236EDCBE675749C9B17C0F15E545712857FEE7B637473858076F071C94888687C381570572F1
Malicious:	false
Reputation:	low
Preview:	U2FsdGVkX19SSgxWGselBWOCnDAwAjUSAJ8Fo8HIt6cUaOMqZptM4GJaCI/aSrXz

C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Process:	C:\Users\user\Desktop\S1Rv3ioghk.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	649416
Entropy (8bit):	6.182028963232553
Encrypted:	false
SSDEEP:	12288:zohLz8nnnnntnnnnnnnnnnnnnnnxnMvnnnnPZnnnnPxnnnnnnnnqshJSLnk41mCL:zshQmC5Bz5CLgBFqGI1yi/UQeZndsqro
MD5:	0922B22053A6D5D9516EA910D34A4771
SHA1:	784D3ED35D040091AE209792E2FA8FC97EE6A071
SHA-256:	41F413DEBFE785B95D852A396AEFE1C814F3C13BDEDF85526F2DC4E83127D6CA
SHA-512:	909EC8B2C1045CC11C03C6B82B7ED6AD96BC8E93F9C98CB8A668572C84CBBCE778C12365B2B2EB547218783A830BE41458E0AE21939E99339F54921D98D944D8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TEKujpTgCK.exe, Detection: malicious, Browse Filename: TEKujpTgCK.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....U..U..U]..T..U]..T..U]..T..U]..T..U...T#.U...T..U...T..U...T..U..UW.U...T..U...T..U..[U..U...T..URich..U........................PE..L......d..........".......... ....../.............@.......................... ..................................................(....@...................\..............T........................... ...@............................................tp6............b.................. ..`.tp6.a..nZ.......\...f..............@..@.tp6......... ......................@..@.tp6.........@......................@..@.tp6d...5%.......&...f.............. ...................................................................................................................................................................................................................................................................................

C:\Users\Public\Bulete\program\yyzyBase.dll

Process:	C:\Users\user\Desktop\S1Rv3ioghk.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3900728
Entropy (8bit):	6.921777359365007
Encrypted:	false
SSDEEP:	98304:j9G9uqf+tQ+5ObxeayQwz10kfVtOpDLYAznM71B99gnImkJ:j9qfyixeVtqktjAznM7X9+ImkJ
MD5:	E6B35BB2692E704C72FAD83DE5C86E67
SHA1:	B8335960E3A92ED8C436B46FCF9D1518902D8A1B
SHA-256:	48756A865554BFBBEAF25A0DDB3B16AF44F113327BA5C01A506E37F3F584D64D
SHA-512:	B7B1F0528AE5DEE82C4A057A9D99F716AB24A05A2D832CD15BE3CFC738CA97FF0A31DEC3877A32F189C9554364F7B024AB27BED0B4B94DE6B9F4D7DD9FBF03D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...B.Qg...........!.....^...r...............................................`;.......;...@.........................H ".L.... ".......$..L............:.8.....8............................... ......M ............. -"..............................text...8\.......^.................. ..`.rdata...'...p...(...b..............@..@.data.........#..p....#.............@....00cfg.......`$.......#.............@..@.tls.........p$.......#.............@....rsrc....L....$..N....#.............@..@.reloc........8......L8.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Bulete\wps_lid.lid-s8HDMqE8a6Xy.exe

Process:	C:\Users\user\Desktop\S1Rv3ioghk.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5910912
Entropy (8bit):	6.969603243680094
Encrypted:	false
SSDEEP:	98304:O6pg+4qaSDRumxkEpMH1FkQmOnhTjqsaUODS4IeOsyrwuv/guB/k:V5IS1FnpAvHZwiO2AOsezgyk
MD5:	5C8ABA9389C18C86BDD8014A0236D165
SHA1:	C01D208B37F913BF0D49306A715234C8C26CCB95
SHA-256:	5BDEB32D9035F87180E12AF1FB48E8DC1D921125265840A43DA067EDA31645EF
SHA-512:	217881B7DF89865139D9A74584EA1B28AA952C478D5CFDA20D5744C34579EFD2C2DEB4E534AFE32EAAAC9B998D956D5B7B8CA72305F9FB78D03D7C46FCD515D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......#..Yg..g..g..<...~..<......<...f....q.j..5...t..5...}..<...f..5......<...x..<...d..g..r.........g..............s.f..g...e......f..Richg..........PE..L....(2g.................V>..........V'......p>...@...........................Z.......Z...@...................................K.(.....L..S............Y..Q....W.H....6I.8...................@6I.....h\|F.@............p>.`.....J.@....................text....T>......V>................. ..`.rdata.......p>......Z>.............@..@.data...TR...0K.......K.............@....rsrc....S....L..T....K.............@..@.reloc..H.....W......HW.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\wps_lid.lid-s8HDMqE8a6Xy.exe.lnk

Process:	C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 27 07:12:41 2024, mtime=Fri Dec 27 07:12:41 2024, atime=Thu Dec 5 08:47:57 2024, length=5910912, window=hide
Category:	dropped
Size (bytes):	1121
Entropy (8bit):	4.718041956468457
Encrypted:	false
SSDEEP:	12:8psC1RUYNNlCECHqXfRnMcXXACmqyP4i8zKt4n0I6bjAUROQdStGi6yavAt4t2YS:8ps4TPy37yKY76vAURHSx6/vA/qygm
MD5:	07E066F5334856CE8E1960A29A836F67
SHA1:	0F2A8BC4F92FED4DBB9B58A7DC66AB8E8AF2F22B
SHA-256:	88AC0D55A55A5D3DEB0BE56F6E977B667068A9D54B9AB1EA8A61AFDD2C9B168D
SHA-512:	9B853AA2F5AD412BB41121B01593CC79527376301AE86E1116DFF1D4332A233647204C97FBB30D8128784708463EE5F288BEB5A61C49421F60A7780E3C112582
Malicious:	false
Preview:	L..................F.... ....t..7X..y...7X...xS..F...1Z..........................P.O. .:i.....+00.../C:\...................x.1.....DW(m..Users.d......OwH.Y.A....................:.....NvM.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....\|.1......Y.A..Public..f......O.I.Y.A....+...............<......h..P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......Y.A..Bulete..>......Y.A.Y.A....8.....................'D}.B.u.l.e.t.e.......2..1Z..Y.M .WPS_LI~1.EXE..j......Y.A.Y.A....?.....................q"..w.p.s._.l.i.d...l.i.d.-.s.8.H.D.M.q.E.8.a.6.X.y...e.x.e.......b...............-.......a............+.%.....C:\Users\Public\Bulete\wps_lid.lid-s8HDMqE8a6Xy.exe..0.....\.....\.P.u.b.l.i.c.\.B.u.l.e.t.e.\.w.p.s._.l.i.d...l.i.d.-.s.8.H.D.M.q.E.8.a.6.X.y...e.x.e..........v...cM.jVD.Es.!...`.......X.......124406...........hT..CrF.f4... .z2=.b...,...W..hT..CrF.f4... .*z2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421876653028855
Encrypted:	false
SSDEEP:	6144:5Svfpi6ceLP/9skLmb0OTsWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTwA:wvloTsW+EZMM6DFyD03wA
MD5:	8B119C066F23D028A9EF615E0DC773AE
SHA1:	4C14AF7C9CB6C41B61EF4E1FDCE0DEDC2B2725F2
SHA-256:	42936232685E3A7E6FBFCFA8DBC428843190413C338CB679B19C879ECD9E78FB
SHA-512:	F3367C15F725F0FC7CC3E01608D4EAC2DA9DF2E1E3F99E3BA87F93394242A86885AECDEB56F675ECF7C0918323E4A8EC45792553DD9D6DD114D6834CCD557CCE
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmj...7X...............................................................................................................................................................................................................................................................................................................................................\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.931775445441287
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	S1Rv3ioghk.exe
File size:	4'477'216 bytes
MD5:	fd7ec2c34e2593e4d606e0a9d37e257a
SHA1:	aac4d5282290c1da30acbf00703c02c5e6ee4b6e
SHA256:	17a742ca6bd9bd88de4f83074d17d1f74faec1b04d177bef710229c77d9e6e21
SHA512:	9cdedf8b49e2eccf54719ca8db1cf462bef874a1a5c0c5b7cb91864da3dcce2971b2318effb7c0c7d126ec26bb801e524e2c4f477087e708670970a744c3b470
SSDEEP:	98304:1pe1S1L/GhYOiYjZJyY0HfyGADpjpB/t7Q/vrJpB8yG+W:1p7dOeFYjXmWZpA/vrJpKy7W
TLSH:	0F2622D83394E369E6B19530E6A356F41972AD9AE920F47BD2643F0C2DB4F04A17432F
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................h...............0....@.................................A........................................P...........,............C.8..

File Icon


Icon Hash:	3f43e872666cd520

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/03/2023 20:00:00 12/03/2024 19:59:59
Subject Chain	CN=Intel Corporation, O=Intel Corporation, S=California, C=US
Version:	3
Thumbprint MD5:	D33A22FCE39A6199A642B44AD0FC8B60
Thumbprint SHA-1:	2F395649AEAD9175BBF761901050546E7A10AA0C
Thumbprint SHA-256:	CDE983898016FC3807D26E1B770A5516C52D855BCB523705C0826B00267D58A2
Serial:	00A90FA001692A0CC5CCF51B5821F2952C

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007F35D4EF2862h
cmp dword ptr [00417710h], ebx
jne 00007F35D4EF274Eh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007F35D4EF2834h
push 00417048h
push 00417044h
call 00007F35D4EF281Fh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007F35D4EF27ECh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x52cfc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x439fe8	0xb138
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x52cfc	0x52e00	245e0061051191c28806833062f9d410	False	0.1521434294871795	data	4.9556234886773645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x1c3c0	0x198	PNG image data, 210 x 143, 4-bit colormap, non-interlaced	Chinese	China	0.8406862745098039
RT_CURSOR	0x1c558	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"			0.35714285714285715
RT_CURSOR	0x1c68c	0x134	data			0.44155844155844154
RT_CURSOR	0x1c7c0	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.40584415584415584
RT_CURSOR	0x1c8f4	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.5746753246753247
RT_CURSOR	0x1ca28	0x134	AmigaOS bitmap font "(", fc_YSize 4294966287, 3840 elements, 2nd "\376\017\340\377\377\017\341\377\377\217\343\377\377\337\367\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd			0.4642857142857143
RT_CURSOR	0x1cb5c	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"			0.32142857142857145
RT_CURSOR	0x1cc90	0x134	data			0.3409090909090909
RT_CURSOR	0x1cdc4	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"			0.4837662337662338
RT_CURSOR	0x1cef8	0x134	AmigaOS bitmap font "(", fc_YSize 4294935297, 3840 elements, 2nd "\200\003\377\201\300\007\377\203\300\017\377\003\340\037\376\007\360\037\370\017\370\003\300\037\374", 3rd			0.711038961038961
RT_CURSOR	0x1d02c	0x134	data			0.6038961038961039
RT_CURSOR	0x1d160	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.36038961038961037
RT_CURSOR	0x1d294	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.3474025974025974
RT_CURSOR	0x1d3c8	0x134	AmigaOS bitmap font "(", fc_YSize 4294967040, 3840 elements, 2nd "\376", 3rd			0.4383116883116883
RT_CURSOR	0x1d4fc	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"			0.35064935064935066
RT_CURSOR	0x1d630	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.4512987012987013
RT_CURSOR	0x1d764	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.39285714285714285
RT_CURSOR	0x1d898	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_CURSOR	0x1d9cc	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"			0.32142857142857145
RT_CURSOR	0x1db00	0x134	data			0.4805194805194805
RT_CURSOR	0x1dc34	0x134	data			0.38311688311688313
RT_CURSOR	0x1dd68	0x134	data			0.36038961038961037
RT_CURSOR	0x1de9c	0x134	data			0.4090909090909091
RT_CURSOR	0x1dfd0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0x1e104	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x1e2d4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0x1e4a4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x1e674	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0x1e844	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x1ea14	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88	Russian	Russia	0.40625
RT_BITMAP	0x1ead4	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88	Russian	Russia	0.40625
RT_BITMAP	0x1eb94	0xa8	Device independent bitmap graphic, 10 x 8 x 4, image size 64			0.49404761904761907
RT_BITMAP	0x1ec3c	0x134	Device independent bitmap graphic, 18 x 17 x 4, image size 204			0.37337662337662336
RT_BITMAP	0x1ed70	0xb8	Device independent bitmap graphic, 10 x 10 x 4, image size 80	Russian	Russia	0.41304347826086957
RT_BITMAP	0x1ee28	0xb8	Device independent bitmap graphic, 11 x 10 x 4, image size 80	Russian	Russia	0.45652173913043476
RT_BITMAP	0x1eee0	0xb8	Device independent bitmap graphic, 10 x 10 x 4, image size 80	Russian	Russia	0.42391304347826086
RT_BITMAP	0x1ef98	0xb8	Device independent bitmap graphic, 11 x 10 x 4, image size 80	Russian	Russia	0.44565217391304346
RT_BITMAP	0x1f050	0x90	Device independent bitmap graphic, 8 x 10 x 4, image size 40			0.4861111111111111
RT_BITMAP	0x1f0e0	0x11c	Device independent bitmap graphic, 38 x 9 x 4, image size 180			0.4507042253521127
RT_BITMAP	0x1f1fc	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.5208333333333334
RT_BITMAP	0x1f2bc	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.42857142857142855
RT_BITMAP	0x1f39c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.4955357142857143
RT_BITMAP	0x1f47c	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.5285714285714286
RT_BITMAP	0x1f508	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	Russian	Russia	0.41
RT_BITMAP	0x1f5d0	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	Russian	Russia	0.39
RT_BITMAP	0x1f698	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.45
RT_BITMAP	0x1f724	0x238	Device independent bitmap graphic, 29 x 29 x 4, image size 464			0.25
RT_BITMAP	0x1f95c	0x238	Device independent bitmap graphic, 29 x 29 x 4, image size 464			0.20950704225352113
RT_BITMAP	0x1fb94	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.5071428571428571
RT_BITMAP	0x1fc20	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.5142857142857142
RT_BITMAP	0x1fcac	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.4857142857142857
RT_BITMAP	0x1fd38	0x238	Device independent bitmap graphic, 29 x 29 x 4, image size 464			0.21654929577464788
RT_BITMAP	0x1ff70	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.3232758620689655
RT_BITMAP	0x20058	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.28448275862068967
RT_BITMAP	0x20140	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.2629310344827586
RT_BITMAP	0x20228	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.33189655172413796
RT_ICON	0x20310	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m			0.2473404255319149
RT_ICON	0x20778	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m			0.15655737704918032
RT_ICON	0x21100	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m			0.12101313320825516
RT_ICON	0x221a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m			0.07655601659751038
RT_ICON	0x24750	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m			0.056211620217288615
RT_ICON	0x28978	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m			0.03660395207063275
RT_ICON	0x31e20	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m			0.027135336566899326
RT_ICON	0x42648	0x1104	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9687786960514233
RT_ICON	0x4374c	0x2388	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced			0.9195250659630607
RT_DIALOG	0x45ad4	0xcc	data	English	United States	0.6911764705882353
RT_DIALOG	0x45ba0	0x1b4	data	English	United States	0.5458715596330275
RT_STRING	0x45d54	0x40	data	English	United States	0.609375
RT_STRING	0x45d94	0x81a	data	English	United States	0.3322082931533269
RT_STRING	0x465b0	0x302	data	English	United States	0.4649350649350649
RT_STRING	0x468b4	0x298	data	English	United States	0.46536144578313254
RT_STRING	0x46b4c	0x328	data	English	United States	0.4405940594059406
RT_STRING	0x46e74	0xc2	data	English	United States	0.5721649484536082
RT_STRING	0x46f38	0x3e	data	Chinese	China	0.6935483870967742
RT_STRING	0x46f78	0x5ce	data	English	United States	0.37012113055181695
RT_STRING	0x47548	0x188	data	English	United States	0.4336734693877551
RT_STRING	0x476d0	0x5fa	OpenPGP Public Key	English	United States	0.3457516339869281
RT_STRING	0x47ccc	0x97c	data	English	United States	0.2759472817133443
RT_STRING	0x48648	0x3de	data	English	United States	0.33636363636363636
RT_STRING	0x48a28	0x114	data	English	United States	0.5652173913043478
RT_STRING	0x48b3c	0x3ba	data	English	United States	0.34276729559748426
RT_STRING	0x48ef8	0x9a	data	English	United States	0.5844155844155844
RT_STRING	0x48f94	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x491ac	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x497d0	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x49e30	0x2e2	data	English	United States	0.4037940379403794
RT_STRING	0x4a114	0x6c	data			0.6851851851851852
RT_STRING	0x4a180	0x2d0	data			0.46111111111111114
RT_STRING	0x4a450	0x250	data			0.49155405405405406
RT_STRING	0x4a6a0	0x214	data			0.4567669172932331
RT_STRING	0x4a8b4	0x180	data			0.5286458333333334
RT_STRING	0x4aa34	0x1a4	data			0.5428571428571428
RT_STRING	0x4abd8	0x3c0	data			0.3489583333333333
RT_STRING	0x4af98	0x6a4	data			0.36
RT_STRING	0x4b63c	0x48c	data			0.38230240549828176
RT_STRING	0x4bac8	0x19c	data			0.5145631067961165
RT_STRING	0x4bc64	0xec	data			0.597457627118644
RT_STRING	0x4bd50	0x1a8	data			0.5
RT_STRING	0x4bef8	0x2b8	data			0.4454022988505747
RT_STRING	0x4c1b0	0x414	data			0.36398467432950193
RT_STRING	0x4c5c4	0x3b4	data			0.37658227848101267
RT_STRING	0x4c978	0x340	data			0.3762019230769231
RT_STRING	0x4ccb8	0x354	data			0.35563380281690143
RT_STRING	0x4d00c	0x2d0	data			0.4513888888888889
RT_STRING	0x4d2dc	0xd8	data			0.5694444444444444
RT_STRING	0x4d3b4	0xf0	data			0.55
RT_STRING	0x4d4a4	0x350	data			0.4033018867924528
RT_STRING	0x4d7f4	0x384	data			0.37444444444444447
RT_STRING	0x4db78	0x2d8	data			0.375
RT_RCDATA	0x4de50	0x10	data			1.5
RT_RCDATA	0x4de60	0x590	data			0.6327247191011236
RT_RCDATA	0x4e3f0	0x133db	Delphi compiled form 'TCreatePluginForm'			0.09238558069305046
RT_RCDATA	0x617cc	0x2f1a	Delphi compiled form 'TdxBarCustomizingForm'			0.25543207828827336
RT_RCDATA	0x646e8	0x4b0	Delphi compiled form 'TdxBarItemAddEditor'			0.4608333333333333
RT_RCDATA	0x64b98	0x287	Delphi compiled form 'TdxBarNameEd'			0.6058732612055642
RT_RCDATA	0x64e20	0x171	Delphi compiled form 'TdxBarSubMenuEditor'			0.7100271002710027
RT_RCDATA	0x64f94	0x1491	Delphi compiled form 'TFindForm'			0.2641975308641975
RT_RCDATA	0x66428	0x49c	Delphi compiled form 'TfrmAddGroupItems'			0.4610169491525424
RT_RCDATA	0x668c4	0x1595	Delphi compiled form 'THintForm'			0.11782805429864253
RT_RCDATA	0x67e5c	0x1aaf	Delphi compiled form 'TInputStringForm'			0.2577953447518665
RT_MESSAGETABLE	0x6990c	0x2840	data	English	United States	0.28823757763975155
RT_GROUP_CURSOR	0x6c14c	0x14	data			1.35
RT_GROUP_CURSOR	0x6c160	0x14	data			1.3
RT_GROUP_CURSOR	0x6c174	0x14	data			1.4
RT_GROUP_CURSOR	0x6c188	0x14	data			1.4
RT_GROUP_CURSOR	0x6c19c	0x14	data			1.4
RT_GROUP_CURSOR	0x6c1b0	0x14	data			1.4
RT_GROUP_CURSOR	0x6c1c4	0x14	data			1.4
RT_GROUP_CURSOR	0x6c1d8	0x14	data			1.4
RT_GROUP_CURSOR	0x6c1ec	0x14	data			1.4
RT_GROUP_CURSOR	0x6c200	0x14	data			1.4
RT_GROUP_CURSOR	0x6c214	0x14	data			1.4
RT_GROUP_CURSOR	0x6c228	0x14	data			1.4
RT_GROUP_CURSOR	0x6c23c	0x14	data			1.4
RT_GROUP_CURSOR	0x6c250	0x14	data			1.4
RT_GROUP_CURSOR	0x6c264	0x14	data			1.4
RT_GROUP_CURSOR	0x6c278	0x14	data			1.4
RT_GROUP_CURSOR	0x6c28c	0x14	data			1.4
RT_GROUP_CURSOR	0x6c2a0	0x14	data			1.4
RT_GROUP_CURSOR	0x6c2b4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x6c2c8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x6c2dc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x6c2f0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x6c304	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x6c318	0x84	data			0.7045454545454546
RT_VERSION	0x6c39c	0x3f4	data			0.475296442687747
RT_VERSION	0x6c790	0x328	data	English	United States	0.44183168316831684
RT_MANIFEST	0x6cab8	0x244	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China	0.453448275862069

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
Russian	Russia
English	United States

Target ID:	0
Start time:	03:12:40
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\S1Rv3ioghk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\S1Rv3ioghk.exe"
Imagebase:	0x400000
File size:	4'477'216 bytes
MD5 hash:	FD7EC2C34E2593E4D606E0A9D37E257A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	03:12:41
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	03:12:41
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	03:12:41
Start date:	27/12/2024
Path:	C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Imagebase:	0x400000
File size:	649'416 bytes
MD5 hash:	0922B22053A6D5D9516EA910D34A4771
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	03:12:43
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 852
Imagebase:	0x1e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true