Edit tour

Windows Analysis Report
dotNetFx35setup.exe

Overview

General Information

Sample name:	dotNetFx35setup.exe
Analysis ID:	1426591
MD5:	269f314b87e6222a20e5f745b6b89783
SHA1:	b0ca05c12ebb9a3610206bad7f219e02b7873cbd
SHA256:	c05a019ce69c2e6973e464f381c2b0b618ad9b135ca5275b052febf64c9f9257

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

dotNetFx35setup.exe (PID: 4092 cmdline: "C:\Users\user\Desktop\dotNetFx35setup.exe" MD5: 269F314B87E6222A20E5F745B6B89783)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_01004BAD InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,CloseHandle,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,CreateFileA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,CreateFileA,CreateFileA,InitializeCriticalSectionAndSpinCount,#17,GetProcessHeap,CreateEventA,CreateEventA,CreateFileA,CreateEventA,CreateThread,CreateFileA,WaitForSingleObject,SendDlgItemMessageA,Sleep,ShowWindow,SetParent,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,LoadStringA,LoadStringA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,CreateFileA,GetFileSize,ReadFile,CloseHandle,DeleteFileA,SendDlgItemMessageA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,ExpandEnvironmentStringsA,CreateProcessA,ShowWindow,WaitForSingleObject,GetExitCodeProcess,CloseHandle,ShowWindow,LoadStringA,MessageBoxA,DeleteCriticalSection,ExitProcess,		0_2_01004BAD
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_01004BAD InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,CloseHandle,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,CreateFileA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,CreateFileA,CreateFileA,InitializeCriticalSectionAndSpinCount,#17,GetProcessHeap,CreateEventA,CreateEventA,CreateFileA,CreateEventA,CreateThread,CreateFileA,WaitForSingleObject,SendDlgItemMessageA,Sleep,ShowWindow,SetParent,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,LoadStringA,LoadStringA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,CreateFileA,GetFileSize,ReadFile,CloseHandle,DeleteFileA,SendDlgItemMessageA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,ExpandEnvironmentStringsA,CreateProcessA,ShowWindow,WaitForSingleObject,GetExitCodeProcess,CloseHandle,ShowWindow,LoadStringA,MessageBoxA,DeleteCriticalSection,ExitProcess,		0_2_01004BAD

Source:	Binary string: sfxcab.pdb source: dotNetFx35setup.exe
Source:	Binary string: sfxcab.pdbU source: dotNetFx35setup.exe

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

Code function: 0_2_01004373 SendDlgItemMessageA,strstr,SetFileAttributesA,GetLastError,CopyFileA,SendDlgItemMessageA,strstr,SetFileAttributesA,CopyFileA,GetLastError,CopyFileA,SetFileAttributesA,SendDlgItemMessageA,_strlwr,GetLastError,MoveFileA,MoveFileA,_strlwr,strstr,FindFirstFileA,strrchr,SendDlgItemMessageA,DeleteFileA,Sleep,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,strchr,strrchr,SendDlgItemMessageA,

0_2_01004373

Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_01003341 NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,NtClose,	0_2_01003341
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_010032B1 NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,NtClose,	0_2_010032B1
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_010036BA OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,_snprintf,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary,	0_2_010036BA
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_010074CA NtClose,	0_2_010074CA

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

Code function: 0_2_01002975: GetDriveTypeA,CreateFileA,DeviceIoControl,CloseHandle,

0_2_01002975

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

Code function: 0_2_010036BA OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,_snprintf,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary,

0_2_010036BA

Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_0100790C	0_2_0100790C
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_01007C1C	0_2_01007C1C
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_01008B2D	0_2_01008B2D
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_0100832F	0_2_0100832F
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_01008772	0_2_01008772
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_01007F77	0_2_01007F77
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_01004BAD	0_2_01004BAD
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Code function: 0_2_01004BAD	0_2_01004BAD

Source: dotNetFx35setup.exe, 00000000.00000000.1990390799.000000000101C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesfxcab.exe0 vs dotNetFx35setup.exe
Source: dotNetFx35setup.exe	Binary or memory string: OriginalFilenamesfxcab.exe0 vs dotNetFx35setup.exe

Source: classification engine

Classification label: clean4.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

Code function: 0_2_01004BAD InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,CloseHandle,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,CreateFileA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,CreateFileA,CreateFileA,InitializeCriticalSectionAndSpinCount,#17,GetProcessHeap,CreateEventA,CreateEventA,CreateFileA,CreateEventA,CreateThread,CreateFileA,WaitForSingleObject,SendDlgItemMessageA,Sleep,ShowWindow,SetParent,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,LoadStringA,LoadStringA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,CreateFileA,GetFileSize,ReadFile,CloseHandle,DeleteFileA,SendDlgItemMessageA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,ExpandEnvironmentStringsA,CreateProcessA,ShowWindow,WaitForSingleObject,GetExitCodeProcess,CloseHandle,ShowWindow,LoadStringA,MessageBoxA,DeleteCriticalSection,ExitProcess,

0_2_01004BAD

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe	Section loaded: netutils.dll	Jump to behavior

Source: dotNetFx35setup.exe

Static file information: File size 2869264 > 1048576

Source:	Binary string: sfxcab.pdb source: dotNetFx35setup.exe
Source:	Binary string: sfxcab.pdbU source: dotNetFx35setup.exe

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

Code function: 0_2_01002858 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_01002858

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

0_2_01004373

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

Code function: 0_2_01002858 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_01002858

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

0_2_01004BAD

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

Code function: 0_2_01005D91 SetUnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_01005D91

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

0_2_01004BAD

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

Code function: 0_2_01003A05 AllocateAndInitializeSid,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLengthSid,GetTokenInformation,GetLengthSid,

0_2_01003A05

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

Code function: 0_2_01005D0B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,GetModuleHandleA,GetProcAddress,

0_2_01005D0B

Source: C:\Users\user\Desktop\dotNetFx35setup.exe

0_2_010036BA

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	4 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dotNetFx35setup.exe	0%	ReversingLabs
dotNetFx35setup.exe	0%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1426591
Start date and time:	2024-04-16 10:47:59 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dotNetFx35setup.exe
Detection:	CLEAN
Classification:	clean4.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target dotNetFx35setup.exe, PID 4092 because there are no executed function

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997752435786725
TrID:	Win32 Executable (generic) a (10002005/4) 96.58% MS generic-sfx Cabinet File Unpacker (32/64bit MSCFU) (350627/2) 3.39% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dotNetFx35setup.exe
File size:	2'869'264 bytes
MD5:	269f314b87e6222a20e5f745b6b89783
SHA1:	b0ca05c12ebb9a3610206bad7f219e02b7873cbd
SHA256:	c05a019ce69c2e6973e464f381c2b0b618ad9b135ca5275b052febf64c9f9257
SHA512:	34c574c78315cb83aac1b763a4f26f978d6c80d8e5bd61b601d16fdce2bccc109f8b46f03fb938a2ff2b9acb4793313f75b15539006e72b827ff7673507e5beb
SSDEEP:	49152:lQ1IXUtz3UXyYAtehSSJEWFU3P5F06520twrKf5gRV6Cs7esM7ELNgZkuudpvXps:ll8zkXyPterEf7520KrjYCsY0geuubXq
TLSH:	47D53312933A9F51F0B7EA3478D67A83BDF6181B650FCE59A5286DC8F80D15C493BE08
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........K...K...K.......D...K... ......._.......J.......J...RichK...........PE..L...{..B.................z..........rY... .........

File Icon


Icon Hash:	8787d7d3b9b53597

Target ID:	0
Start time:	10:48:44
Start date:	16/04/2024
Path:	C:\Users\user\Desktop\dotNetFx35setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dotNetFx35setup.exe"
Imagebase:	0x1000000
File size:	2'869'264 bytes
MD5 hash:	269F314B87E6222A20E5F745B6B89783
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 01004BAD Relevance: 155.1, APIs: 77, Strings: 11, Instructions: 1073windowtimestringCOMMON

Download Yara Rule

APIs

Part of subcall function 010042AF: GetFileAttributesA.KERNEL32(?), ref: 0100431D
Part of subcall function 010042AF: LoadLibraryA.KERNEL32(advapi32.dll), ref: 01004331
Part of subcall function 010042AF: GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 01004341
Part of subcall function 010042AF: GetLastError.KERNEL32 ref: 0100435A

InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?,?,?), ref: 01004C48
InitializeAcl.ADVAPI32(?,00000100,00000002,?,?,?,?,?), ref: 01004C60
AddAccessAllowedAce.ADVAPI32(?,00000002,10000000,?,?,?,?,?,?), ref: 01004C82
AddAccessAllowedAce.ADVAPI32(?,00000002,10000000,?,?,?,?,?,?), ref: 01004C95
AddAccessAllowedAce.ADVAPI32(?,00000002,10000000,?,?,?,?,?,?), ref: 01004CA8
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,?,?,?,?), ref: 01004CBF
GetCurrentDirectoryA.KERNEL32(00000104,0100AD60,?,?,?,?,?), ref: 01004CE9
GetSystemDirectoryA.KERNEL32(0100B0C0,0000FFFF), ref: 01004CFE
QueryDosDeviceA.KERNEL32(?,?,00000400), ref: 01004D3C
_strlwr.MSVCRT ref: 01004D52
strstr.MSVCRT ref: 01004D69
strstr.MSVCRT ref: 01004D7A
GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?,?,?,?), ref: 01004DB9
CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,?,?,?), ref: 01004EB5
CryptGenRandom.ADVAPI32(?,00000010,?,?,?,?,?,?), ref: 01004EE0
sprintf.MSVCRT ref: 01004EF4
sprintf.MSVCRT ref: 01004F29
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?), ref: 01004F7F
GetSystemTime.KERNEL32(?,?,temp\ext,0100AD60,?,?,?,?,?), ref: 01004FA5
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?), ref: 01004FB3
DialogBoxParamA.USER32(0000006B,Function_00003B66,00000000), ref: 0100501D
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 0100511E
LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,?), ref: 0100512C
SetFileTime.KERNEL32(DADAFEED,?,?,?,?,00000000,?), ref: 0100513B
CloseHandle.KERNEL32(DADAFEED,?,00000000,?), ref: 01005144
SendDlgItemMessageA.USER32(?,0000006A,00000405,00000000,00000000), ref: 01005175
MoveFileExA.KERNEL32(0100A080,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 010051A0
strstr.MSVCRT ref: 01005222
_stricmp.MSVCRT(?,_sfx_manifest_,?,00000000,?), ref: 01005264
SendDlgItemMessageA.USER32(?,00000068,0000000C,00000000,?), ref: 010052C5
GetLastError.KERNEL32(?,00000000,?), ref: 01005302
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000,0100A008,?,0100AD60,?,?,?,00000000,?), ref: 0100535F
SetFilePointer.KERNEL32(00000000,?,00000000,00000000,?,00000000,?), ref: 01005379
SetEndOfFile.KERNEL32(00000000,?,00000000,?), ref: 0100537C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 01005386
InitializeCriticalSectionAndSpinCount.KERNEL32(0100AD40,00009192,00009192,00000000,?,00000000), ref: 010053CC
#17.COMCTL32 ref: 010053DB
GetProcessHeap.KERNEL32 ref: 010053E1
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 010053FB
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0100544E
CreateThread.KERNEL32(00000000,00000000,Function_0000368E,00000000,00000000,?), ref: 01005463

Part of subcall function 0100425B: CreateDirectoryA.KERNEL32(?,?), ref: 01004281

WaitForSingleObject.KERNEL32(00009192), ref: 0100547B
Sleep.KERNEL32(000001F4), ref: 010054A7
ShowWindow.USER32(00000000), ref: 010054B4
SetParent.USER32 ref: 010054C6
ShowWindow.USER32(00000000), ref: 0100557C
LoadStringA.USER32(20000004,0100AE80,00000104), ref: 010055B6
LoadStringA.USER32(20000006,0100A8C0,00000104), ref: 010055CE
SendDlgItemMessageA.USER32(00000065,0000000C,00000000,0100AE80), ref: 010055E0
SendDlgItemMessageA.USER32(00000066,0000000C,00000000,0100A8C0), ref: 010055EE
SendDlgItemMessageA.USER32(00000069,0000000C,00000000,0100AD60), ref: 01005600
SendDlgItemMessageA.USER32(0000006A,00000402,00000000,00000000), ref: 01005611
SendDlgItemMessageA.USER32(0000006A,00000401,00000000,?), ref: 0100562A
ShowWindow.USER32(00000005), ref: 01005634
DeleteCriticalSection.KERNEL32(0100AD40,20000001), ref: 0100595B
ExitProcess.KERNEL32 ref: 0100596B

Strings

ramdisk, xrefs: 01004D74
cdtag.1, xrefs: 0100521A
_sfx_manifest_, xrefs: 0100525C, 01005684
_SFX_CAB_EXE_PACKAGE, xrefs: 0100578F
D, xrefs: 01005840
c:\, xrefs: 01004BD5
temp\ext, xrefs: 01004F91
harddisk, xrefs: 01004D61
_SFX_CAB_EXE_PATH, xrefs: 01005783
_SFX_CAB_EXE_PARAMETERS, xrefs: 0100579C
%02x, xrefs: 01004F21

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: File$Time$ItemMessageSend$Create$AccessAllowedCryptDirectoryInitializeLoadShowSystemWindowstrstr$ContextCriticalDescriptorErrorEventLastPointerProcessSectionSecurityStringsprintf$AcquireAddressAttributesCloseCountCurrentDaclDateDeleteDeviceDialogDiskExitFreeHandleHeapLibraryLocalMoveObjectParamParentProcQueryRandomReleaseSingleSleepSpaceSpinThreadWait_stricmp_strlwr
String ID: %02x$D$_SFX_CAB_EXE_PACKAGE$_SFX_CAB_EXE_PARAMETERS$_SFX_CAB_EXE_PATH$_sfx_manifest_$c:\$cdtag.1$harddisk$ramdisk$temp\ext
API String ID: 694382971-1981523505
Opcode ID: 1dcb4ba0e6e4be2e8d7a80653661f32d6b4456496f8c67cd187326e2e8a35775
Instruction ID: 4a5fc7205fd864f2b988a0819115a85d9521f51c568d1401561457867827a862
Opcode Fuzzy Hash: 1dcb4ba0e6e4be2e8d7a80653661f32d6b4456496f8c67cd187326e2e8a35775
Instruction Fuzzy Hash: 00827C71A00349EFFB33DFA49C88AAE7BA9AB05305F00412AF6C5A71C5D77A4944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01004373 Relevance: 67.1, APIs: 30, Strings: 8, Instructions: 609filestringwindowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(00000068,0000000C,00000000,?,00000000), ref: 010043E6
strstr.MSVCRT ref: 0100447C
SetFileAttributesA.KERNEL32(?,00000080,0100A008,?), ref: 010044B7
GetLastError.KERNEL32 ref: 010044FB
SendDlgItemMessageA.USER32(00000068,0000000C,00000000,?,?), ref: 0100460D
strstr.MSVCRT ref: 0100466D
SetFileAttributesA.KERNEL32(?,00000080,0100A008,?), ref: 010046A8
CopyFileA.KERNEL32(?,?,00000000), ref: 010046BD
GetLastError.KERNEL32 ref: 010046C6
CopyFileA.KERNEL32(0100AB00,0100A080,00000000), ref: 01004714
SetFileAttributesA.KERNEL32(?,00000080), ref: 01004745
SendDlgItemMessageA.USER32(00000068,0000000C,00000000,?,?), ref: 010047CA
_strlwr.MSVCRT ref: 01004809
GetLastError.KERNEL32 ref: 01004841
MoveFileA.KERNEL32(?,0100AB00), ref: 01004865
MoveFileA.KERNEL32(0100AB00,?), ref: 01004893
_strlwr.MSVCRT ref: 010048AC
strstr.MSVCRT ref: 01004966
FindFirstFileA.KERNEL32(?,?), ref: 01004981
strrchr.MSVCRT ref: 0100499C
SendDlgItemMessageA.USER32(00000068,0000000C,00000000,?), ref: 010049C8
DeleteFileA.KERNEL32(?), ref: 010049E8
Sleep.KERNEL32(000001F4), ref: 010049F7
SetFileAttributesA.KERNEL32(?,00000080), ref: 01004A09
DeleteFileA.KERNEL32(?), ref: 01004A16
FindNextFileA.KERNEL32(?,?), ref: 01004A38
FindClose.KERNEL32(?), ref: 01004A49
strchr.MSVCRT ref: 01004AA1
strrchr.MSVCRT ref: 01004B59
SendDlgItemMessageA.USER32(00000068,0000000C,00000000,0100226B,?), ref: 01004B8C

Strings

command, xrefs: 01004A63
verify, xrefs: 01004769, 010048F3
options, xrefs: 01004A68, 01004A6D, 01004AEE
\..\, xrefs: 01004476, 01004667, 01004960
delete, xrefs: 01004910, 01004915, 01004A4F
copy, xrefs: 010045AD, 01004751
run, xrefs: 01004AE9
deltas, xrefs: 01004389, 0100438E, 0100459C

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: File$ItemMessageSend$Attributes$ErrorFindLaststrstr$CopyDeleteMove_strlwrstrrchr$CloseFirstNextSleepstrchr
String ID: \..\$command$copy$delete$deltas$options$run$verify
API String ID: 3851170777-1340136238
Opcode ID: 931f6e80941eee581e58e99b3e9b7d62a40c09c490874fc22ce823aacf590507
Instruction ID: a2ffd0d7f9172623b5044838d67ff78a0f1503e5ac23cb5643a916188d07114c
Opcode Fuzzy Hash: 931f6e80941eee581e58e99b3e9b7d62a40c09c490874fc22ce823aacf590507
Instruction Fuzzy Hash: 102231B1500349AFFB73DF64DC88FEE3BADAB45611F10452AEA89DB081DB359644CB24

Uniqueness

Uniqueness Score: -1.00%

Function 010036BA Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 176synchronizationlibraryshutdownCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100000,00000000,WFP_IDLE_TRIGGER), ref: 010036EC

Part of subcall function 0100323E: CloseHandle.KERNEL32(?,00000000,?,010032FD,NtOpenProcessToken Failed ), ref: 01003253
Part of subcall function 0100323E: CreateFileA.KERNEL32(0100A9E0,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,?,010032FD,NtOpenProcessToken Failed ), ref: 0100327A
Part of subcall function 0100323E: CloseHandle.KERNEL32(?,00000000,?,010032FD,NtOpenProcessToken Failed ), ref: 010032A1

WaitForSingleObject.KERNEL32(00000000,0000EA60,Shutdown Initiated in Self Extractor ), ref: 01003708
CloseHandle.KERNEL32(00000000), ref: 0100370F
Sleep.KERNEL32(00002710,Shutdown Initiated in Self Extractor ), ref: 01003728
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0100375E
GetProcAddress.KERNEL32(00000000,InitiateSystemShutdownExA), ref: 01003774
WaitForSingleObject.KERNEL32(00000000), ref: 01003787
InitiateSystemShutdownA.ADVAPI32(00000000,00000000,00000000,?,?), ref: 010037C7
GetLastError.KERNEL32 ref: 010037D7
WaitForSingleObject.KERNEL32(00000BB8), ref: 010037F7
GetLastError.KERNEL32 ref: 01003809
_snprintf.MSVCRT ref: 0100381D
GetVersionExA.KERNEL32(?,?), ref: 01003843
GetVersionExA.KERNEL32(?), ref: 01003856
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0100386A
strchr.MSVCRT ref: 0100387D
CreateFileA.KERNEL32(?,C0000000,00000007,00000000,00000003,02000000,00000000), ref: 0100389F
FlushFileBuffers.KERNEL32(00000000), ref: 010038AD
CloseHandle.KERNEL32(00000000), ref: 010038B6
NtShutdownSystem.NTDLL ref: 010038C2
FreeLibrary.KERNEL32(?), ref: 010038D9

Strings

Shutdown Initiated in Self Extractor , xrefs: 010036F2
advapi32.dll, xrefs: 01003759
Failed to Adjust ENABLE_PRIVILEGE , xrefs: 01003748
ShutdownSystem: Failed , xrefs: 010038EF
WFP_IDLE_TRIGGER, xrefs: 010036CC
InitiateSystemShutdown() Failed with error 0x%lx , xrefs: 0100380C
InitiateSystemShutdownExA, xrefs: 0100376E

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: CloseHandle$FileObjectSingleSystemWait$CreateErrorLastLibraryShutdownVersion$AddressBuffersDirectoryEventFlushFreeInitiateLoadOpenProcSleep_snprintfstrchr
String ID: Failed to Adjust ENABLE_PRIVILEGE $InitiateSystemShutdown() Failed with error 0x%lx $InitiateSystemShutdownExA$Shutdown Initiated in Self Extractor $ShutdownSystem: Failed $WFP_IDLE_TRIGGER$advapi32.dll
API String ID: 1438871646-2190802367
Opcode ID: e16d1c5e30cf5cf918e6801bee1f3de660ee26618322df16eba3f0455c63093d
Instruction ID: fa78a2391aa56f3a4227d8bf8b83eee1e1ff8068ca64cc75ca1fd992ffc242c2
Opcode Fuzzy Hash: e16d1c5e30cf5cf918e6801bee1f3de660ee26618322df16eba3f0455c63093d
Instruction Fuzzy Hash: 5E516471940319AFFB77ABA5DC8CE9D77B8FB04304F0104A5F789A6091DB798A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01002858 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000208), ref: 0100288F
LoadLibraryA.KERNEL32(?), ref: 010028BE
GetProcAddress.KERNEL32(00000000,OpenCluster), ref: 010028DA
GetProcAddress.KERNEL32(00000000,CloseCluster), ref: 010028E9
GetProcAddress.KERNEL32(00000000,GetNodeClusterState), ref: 010028F9
GetProcAddress.KERNEL32(00000000,GetClusterQuorumResource), ref: 01002907
FreeLibrary.KERNEL32(00000000), ref: 01002957

Strings

GetClusterQuorumResource, xrefs: 01002901
GetNodeClusterState, xrefs: 010028F3
OpenCluster, xrefs: 010028D4
CloseCluster, xrefs: 010028E3
\clusapi.dll, xrefs: 010028AE

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: AddressProc$Library$DirectoryFreeLoadSystem
String ID: CloseCluster$GetClusterQuorumResource$GetNodeClusterState$OpenCluster$\clusapi.dll
API String ID: 1303522615-3927317670
Opcode ID: c1e28ea40aa95c970bd2515156aeeae597b2fe8cda87cb64a680d6756fe9de5b
Instruction ID: d686d9e9beb2ecf3ac643f9400437ff79e5266c8eeb7146fe51df6010c016750
Opcode Fuzzy Hash: c1e28ea40aa95c970bd2515156aeeae597b2fe8cda87cb64a680d6756fe9de5b
Instruction Fuzzy Hash: 77318631A007199EFB73DFA88C48AEE7BFCAF4A640F040159EA94E7141D7749506CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01005D0B Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 40libraryloadertimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 01005D26
GetCurrentProcessId.KERNEL32 ref: 01005D32
GetCurrentThreadId.KERNEL32 ref: 01005D3A
GetTickCount.KERNEL32 ref: 01005D42
QueryPerformanceCounter.KERNEL32(?), ref: 01005D4E
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 01005D73
GetProcAddress.KERNEL32(00000000,UnhandledExceptionFilter), ref: 01005D84

Strings

UnhandledExceptionFilter, xrefs: 01005D7E
kernel32.dll, xrefs: 01005D6E

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: CurrentTime$AddressCountCounterFileHandleModulePerformanceProcProcessQuerySystemThreadTick
String ID: UnhandledExceptionFilter$kernel32.dll
API String ID: 2672014633-2428948374
Opcode ID: 8836856e425517a9b37d542b8fb2adc1402a7956b3e3de5b44b3ee0ac24449e9
Instruction ID: b95f8e904764b8bc762317a79cabda48efacd96275328473a0dfd119305418df
Opcode Fuzzy Hash: 8836856e425517a9b37d542b8fb2adc1402a7956b3e3de5b44b3ee0ac24449e9
Instruction Fuzzy Hash: ED017179D002189BDB33EBF4E84C59EB7F8FB1C341F450552EA81E7148DA3995448B80

Uniqueness

Uniqueness Score: -1.00%

Function 01003A05 Relevance: 10.6, APIs: 7, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01003A44
GetCurrentProcess.KERNEL32(00000028,?), ref: 01003A54
OpenProcessToken.ADVAPI32(00000000), ref: 01003A5B
GetTokenInformation.ADVAPI32(?,00000004,0100B0C0,00010000,00000000), ref: 01003A86
GetLengthSid.ADVAPI32 ref: 01003A97
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),0100B0C0,00010000,00000000), ref: 01003ADA
GetLengthSid.ADVAPI32 ref: 01003AE6

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: Token$InformationLengthProcess$AllocateCurrentInitializeOpen
String ID:
API String ID: 3439802213-0
Opcode ID: 6ff6391c5b447c1781874fac130cb19b924f6e13a6a55c0a2b1c7260f8f87023
Instruction ID: 3a25e2101ce50678b8b8c7b8ba5352504fe85c9604b390e274a817cd7261bb1a
Opcode Fuzzy Hash: 6ff6391c5b447c1781874fac130cb19b924f6e13a6a55c0a2b1c7260f8f87023
Instruction Fuzzy Hash: FC317031600209AFFB27DB689C59BAF7BA5FB49654F044059FA81DB2C1E6758904CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01002975 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?), ref: 010029A3
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 010029D5
DeviceIoControl.KERNEL32(00000000,00070000,00000000,00000000,?,00000018,?,00000000), ref: 010029F5
CloseHandle.KERNEL32(00000000), ref: 01002A08

Strings

\\.\?:, xrefs: 01002986
?:\, xrefs: 01002997

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: CloseControlCreateDeviceDriveFileHandleType
String ID: ?:\$\\.\?:
API String ID: 3103408351-3307214488
Opcode ID: 47498a4bcb74dded4c29c00e05d7b639877be6728e5536a954586cf20def41e0
Instruction ID: ead682f2c064a072bdc93cd4bf06150654d79a6cf303370e7d30dc00cbb2182d
Opcode Fuzzy Hash: 47498a4bcb74dded4c29c00e05d7b639877be6728e5536a954586cf20def41e0
Instruction Fuzzy Hash: B9118136600258ABE722D6A99C4CEDFBFACEB5A390F044552BA95E3180CA748644C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 01003341 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

NtOpenProcessToken.NTDLL(000000FF,00000028,?), ref: 01003355
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 01003375
NtClose.NTDLL ref: 01003382

Part of subcall function 0100323E: CloseHandle.KERNEL32(?,00000000,?,010032FD,NtOpenProcessToken Failed ), ref: 01003253
Part of subcall function 0100323E: CreateFileA.KERNEL32(0100A9E0,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,?,010032FD,NtOpenProcessToken Failed ), ref: 0100327A
Part of subcall function 0100323E: CloseHandle.KERNEL32(?,00000000,?,010032FD,NtOpenProcessToken Failed ), ref: 010032A1

Strings

RestorePrivilege():Failed To Open Process Token, xrefs: 0100335F
RestorePrivilege(): Failed To Restore Privilege , xrefs: 0100338D

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: Close$HandleToken$AdjustCreateFileOpenPrivilegesProcess
String ID: RestorePrivilege(): Failed To Restore Privilege $RestorePrivilege():Failed To Open Process Token
API String ID: 1340415033-792189412
Opcode ID: bbb9f9c581c594dde491b117308a5593439305b6d4ffa5aefab84c243a3af996
Instruction ID: 1529574eea9e65eb4c5606a3ab5cfa18725d1f79ef387119ba21a54904085f2f
Opcode Fuzzy Hash: bbb9f9c581c594dde491b117308a5593439305b6d4ffa5aefab84c243a3af996
Instruction Fuzzy Hash: 22F06D35501515BEEB136BA2CC4DDDFBFACFF16651F108124B591E80D0DB718A00E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 010032B1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtOpenProcessToken.NTDLL(000000FF,00000028,?), ref: 010032E9
NtAdjustPrivilegesToken.NTDLL(?,00000000,00000000,00000000,00000000,?), ref: 0100331C
NtClose.NTDLL ref: 01003329
NtClose.NTDLL ref: 01003334

Strings

NtOpenProcessToken Failed , xrefs: 010032F3

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: CloseToken$AdjustOpenPrivilegesProcess
String ID: NtOpenProcessToken Failed
API String ID: 2239692276-916547032
Opcode ID: f9475cd88552716c38a408619494e54f4defc056fe3f04aef1a24c85358ea65e
Instruction ID: 47b30176348a3bbc47bc56b65be6ce95b57b5441ac869951e058b08c2605c460
Opcode Fuzzy Hash: f9475cd88552716c38a408619494e54f4defc056fe3f04aef1a24c85358ea65e
Instruction Fuzzy Hash: 2E11393160111AEFFB139FA9C849AEE7BB8FB14704F00C565B991DA180D7B1DA00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01005D91 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01005DF9
GetCurrentProcess.KERNEL32(00000502), ref: 01005E0F
TerminateProcess.KERNEL32(00000000), ref: 01005E16

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: Process$CurrentExceptionFilterTerminateUnhandled
String ID:
API String ID: 3985764695-0
Opcode ID: 984346633d4f204b717883a53bfd6cc5b3ce50736d7b60c78e56e380042f0a69
Instruction ID: cadd8f9039b27bef410ff73c1f8cbbafddea93bf410dc89ce31535f619ef2b4c
Opcode Fuzzy Hash: 984346633d4f204b717883a53bfd6cc5b3ce50736d7b60c78e56e380042f0a69
Instruction Fuzzy Hash: 1F110971A003099FEB32EFA4E85CADD7BB4BB48311F00442AE696A7184EB799549CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01007F77 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c60de342e90d044fef2e91ff0a33f63530905a9f3501dc7b6b7fbbe28583c0d
Instruction ID: 7bdb3de40f7b16b4e3fdbb9010e3ed8600d9d80757d11d48e2a42a01d3a4519c
Opcode Fuzzy Hash: 9c60de342e90d044fef2e91ff0a33f63530905a9f3501dc7b6b7fbbe28583c0d
Instruction Fuzzy Hash: 2BC18231D082959BEB4BCF68C4A43EDBBB0BF05314F18C1AEC8D6AB682D7755585CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0100832F Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a659f9d668ddf8d5885c677a761184c59a9ed3dc7fedb9055773c3892dd1c3
Instruction ID: d6e7e9c652fa479cb36e608c9f298f5dbe7ac16baa02250beda63240f1d12ce0
Opcode Fuzzy Hash: 90a659f9d668ddf8d5885c677a761184c59a9ed3dc7fedb9055773c3892dd1c3
Instruction Fuzzy Hash: D9C18631D082959FDB0BCF68C4A46EDBBB0BF05314F19C5AED9D66B282C7749A85C780

Uniqueness

Uniqueness Score: -1.00%

Function 0100790C Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6525c560449e1ea7dad44570e9ddaa0f412bba58f467084185284278718c086f
Instruction ID: 882c2988c2584e14a4ebd2bd9ff01e3212ad1c0dbefbedf62c6b66be4b2ceb63
Opcode Fuzzy Hash: 6525c560449e1ea7dad44570e9ddaa0f412bba58f467084185284278718c086f
Instruction Fuzzy Hash: 75A185319086959FDB0ACF98C0947EDFBB1BF45314F1981EDC9D66B282C7746A85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01007C1C Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13754b0c9af3de1549eec2cd29190b00d98ed929d28a9553ad532199e3395c35
Instruction ID: a1b4a997927129edd7373ba7edc78efd16e1f7582783e427a85ac2212e7634ef
Opcode Fuzzy Hash: 13754b0c9af3de1549eec2cd29190b00d98ed929d28a9553ad532199e3395c35
Instruction Fuzzy Hash: CAA18A355042959FDB0BCF18C4946EEBBB0FF45314F1486AED8D69B382C774AA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01008772 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c225b3d61e53693e46f18e2adb33c83097d8c9bb96b464cdde02c28129c2d1
Instruction ID: ae124d6a84aa86ef0b41d265e95d6d1d6d02651a4bf8d9d15339b31a1bcedd1e
Opcode Fuzzy Hash: 29c225b3d61e53693e46f18e2adb33c83097d8c9bb96b464cdde02c28129c2d1
Instruction Fuzzy Hash: 9A811430A0474A9EFB2BDE28C5847FEB7E0BF04700F54812BE9D6921D2E3749990CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01008B2D Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac211542a3869dc8880f68233b4de0dfb7fb2ced29cb3492eb621ecda2867df
Instruction ID: ee7552dc6f04aeafd0785c2b777b743ecbf0aff2aaf96e31b4dc638c9c77566f
Opcode Fuzzy Hash: fac211542a3869dc8880f68233b4de0dfb7fb2ced29cb3492eb621ecda2867df
Instruction Fuzzy Hash: 0761B431A105598BEF2ADE6CC4944AD7BE2FF89340F24856EEDD2C7291EA30D856CB40

Uniqueness

Uniqueness Score: -1.00%

Function 010074CA Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dafe5b08d1e261c2ce124db43fb324270d1e409903ec97e50048455bb3c3016
Instruction ID: c5c7962ec9bfd276c06f62569fe644236bd23479e08b8a627ddd072a21015ce1
Opcode Fuzzy Hash: 0dafe5b08d1e261c2ce124db43fb324270d1e409903ec97e50048455bb3c3016
Instruction Fuzzy Hash: 4C51B03164028A9AFB779E28CD58BEA3699BB55301F140025EDCA9B2C1DBF87A84C710

Uniqueness

Uniqueness Score: -1.00%

Function 01002E23 Relevance: 24.3, APIs: 16, Instructions: 273memoryfileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,10000000,00000000), ref: 01002E4C
ReadFile.KERNEL32(00000000,?,000000F8,?,00000000), ref: 01002E7C
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 01002EA5
ReadFile.KERNEL32(?,00005A4D,000000F8,?,00000000), ref: 01002EC7
HeapAlloc.KERNEL32(00000008,?), ref: 01002F20
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 01002F41
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 01002F5F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 010030DA
HeapAlloc.KERNEL32(00000008,00000000), ref: 010030FC
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 0100311B
GetEnvironmentVariableA.KERNEL32(?,00000000,00000000), ref: 01003125
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01003143
HeapAlloc.KERNEL32(00000008,00000000), ref: 0100315D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 01003179
SetEnvironmentVariableA.KERNEL32(?,00000000), ref: 01003182
CloseHandle.KERNEL32(?), ref: 0100319A

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: File$ByteCharMultiWide$AllocHeapRead$EnvironmentPointerVariable$CloseCreateHandle
String ID:
API String ID: 2380048033-0
Opcode ID: 97296b6a5ae1070499f561d03bbdb1e99bdb29609451bee810a8b9544af7c72d
Instruction ID: aa1efc65d1c8908e80179af0249990d3a2d581a122d3882f80298e4c9bf648d5
Opcode Fuzzy Hash: 97296b6a5ae1070499f561d03bbdb1e99bdb29609451bee810a8b9544af7c72d
Instruction Fuzzy Hash: 91A140719002199FEF779F29CC58BE9B6B9FF08354F1041AAF599A6192DA318D81CF20

Uniqueness

Uniqueness Score: -1.00%

Function 01003CFC Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 381COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,0100AC20,00000104), ref: 01003D10
GetCommandLineA.KERNEL32(?), ref: 01003D4B
GetFileAttributesA.KERNEL32(0100A8C0), ref: 01003F11
_strnicmp.MSVCRT ref: 01004031
_strnicmp.MSVCRT ref: 01004064
_strnicmp.MSVCRT ref: 01004138

Strings

extract:, xrefs: 0100402B
extract, xrefs: 0100405E
passive, xrefs: 0100410A
quiet, xrefs: 010040DA
integrate, xrefs: 01004132

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: _strnicmp$File$AttributesCommandLineModuleName
String ID: extract$extract:$integrate$passive$quiet
API String ID: 3875041768-2274489984
Opcode ID: 93a681b93137e4953b53c2a4d15290101c9164a112d42ad5f80b312c55fb3b6d
Instruction ID: c54a824d2572db3d78b1d6c0a949b8d436362e25c6b12cca0fe0d824c21bf959
Opcode Fuzzy Hash: 93a681b93137e4953b53c2a4d15290101c9164a112d42ad5f80b312c55fb3b6d
Instruction Fuzzy Hash: 7AC124306083859EFB678F2C98583F67FE1BB56300F480199DAC5DB2C6C72A994AC755

Uniqueness

Uniqueness Score: -1.00%

Function 01002C7E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 69sleepCOMMON

Download Yara Rule

APIs

SetParent.USER32(?,000000FD), ref: 01002CB5
Sleep.KERNEL32(000001F4), ref: 01002CC5
SetEvent.KERNEL32 ref: 01002CD1
SetEvent.KERNEL32 ref: 01002CE6
CreateEventW.KERNEL32(00000000,00000001,00000000,Global\HotfixNoShutDown), ref: 01002CF5
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01002D18
CloseHandle.KERNEL32(?), ref: 01002D21
TerminateProcess.KERNEL32(?,00000001), ref: 01002D38
EndDialog.USER32(?,00000000), ref: 01002D50

Strings

Global\HotfixNoShutDown, xrefs: 01002CEC

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: Event$CloseCreateDialogHandleMultipleObjectsParentProcessSleepTerminateWait
String ID: Global\HotfixNoShutDown
API String ID: 2160021069-3107748146
Opcode ID: 9b602f12c433d14080fb658a208067ce1ab90d92fa4623dec5b4d0dcf72d3d9e
Instruction ID: 41e82e01114d3b4e8218b2caf5061671717d12d5e45f3d52f337d2fc8830da12
Opcode Fuzzy Hash: 9b602f12c433d14080fb658a208067ce1ab90d92fa4623dec5b4d0dcf72d3d9e
Instruction Fuzzy Hash: ED214F30504328EBEB33AF64EC0CA9E7FB9EB05711F108556F686961D8C77A8981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01002789 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000), ref: 010027B1
SetErrorMode.KERNEL32(00000000), ref: 010027BA
GetTickCount.KERNEL32 ref: 010027BC
sprintf.MSVCRT ref: 010027E2
CreateDirectoryA.KERNEL32(?,00000000), ref: 010027F1
GetLastError.KERNEL32 ref: 010027FB
RemoveDirectoryA.KERNEL32(?), ref: 0100281A
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0100282B
SetErrorMode.KERNEL32(?), ref: 0100283B

Strings

%s_%06u_, xrefs: 010027DC

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: Error$Mode$Directory$CountCreateFileLastMoveRemoveTicksprintf
String ID: %s_%06u_
API String ID: 2138407651-2224866286
Opcode ID: 79f48d8f0ee11b7160f74fa89b24327457f014d8e8f70280620dfda206a8994c
Instruction ID: 4292437d325096769ba955c0c75f2206e7eaa68a379665d2dc8793e19c6eb8a8
Opcode Fuzzy Hash: 79f48d8f0ee11b7160f74fa89b24327457f014d8e8f70280620dfda206a8994c
Instruction Fuzzy Hash: 41211F759002089BEB32EFB9DC8CADD7BBDFB58304F10442AE659E3142D73996048F10

Uniqueness

Uniqueness Score: -1.00%

Function 01003B66 Relevance: 16.6, APIs: 11, Instructions: 124windowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32(20000005,?,00000104), ref: 01003BD1
SHBrowseForFolderA.SHELL32(?), ref: 01003C15
SHGetPathFromIDListA.SHELL32(00000000,?), ref: 01003C27
SendDlgItemMessageA.USER32(?,0000006C,0000000C,00000000,?), ref: 01003C3E
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 01003C49
SendDlgItemMessageA.USER32(?,0000006C,0000000D,00000104,?), ref: 01003C71
LoadStringA.USER32(20000005,?,00000104), ref: 01003C9D
SendMessageA.USER32(?,0000000C,00000000,?), ref: 01003CB2
SendDlgItemMessageA.USER32(?,00000067,0000000C,00000000,?), ref: 01003CCD
SendDlgItemMessageA.USER32(?,0000006C,0000000C,00000000,0100AD60), ref: 01003CDC
EndDialog.USER32(?,00000000), ref: 01003CE5

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: MessageSend$Item$LoadString$BrowseDialogFolderFromListPath
String ID:
API String ID: 4196404735-0
Opcode ID: ee738b9a55def9f6bd726eae63b2e99d9fd44154da85ddc859c62bcc01c75331
Instruction ID: 0b0e44a583c2c4f1cf48ad0424a8f4404f33690fedf35d29108f5da2406bcbb1
Opcode Fuzzy Hash: ee738b9a55def9f6bd726eae63b2e99d9fd44154da85ddc859c62bcc01c75331
Instruction Fuzzy Hash: EC414B7550421CBFFB629B65DC8CFEA7BB8FB18344F0040A1B6C5EA184DAB59A848F50

Uniqueness

Uniqueness Score: -1.00%

Function 010033B1 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0100341C
LoadLibraryA.KERNEL32(?,?,mspatcha.dll,?), ref: 01003441
GetProcAddress.KERNEL32(00000000,GetFilePatchSignatureA), ref: 0100345C
GetProcAddress.KERNEL32(ApplyPatchToFileA), ref: 0100346E

Strings

options, xrefs: 010033D5
mspatcha.dll, xrefs: 01003429
GetFilePatchSignatureA, xrefs: 01003456
patchdll, xrefs: 010033D0
ApplyPatchToFileA, xrefs: 0100345E

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: ApplyPatchToFileA$GetFilePatchSignatureA$mspatcha.dll$options$patchdll
API String ID: 2141747552-2620544346
Opcode ID: af1ae7e87c7e0f97d47ad7c409f933be02ba94869018606c1fd710d6dd64303c
Instruction ID: c55e79a00b7bdccfe4314fab56b2fb7eecb56e67f3f2003fb8011306c72d3c47
Opcode Fuzzy Hash: af1ae7e87c7e0f97d47ad7c409f933be02ba94869018606c1fd710d6dd64303c
Instruction Fuzzy Hash: 9C210EB5A00318EFEB37DB65DC48BDA77A8B718304F004496B6C4AB185DB799A888B50

Uniqueness

Uniqueness Score: -1.00%

Function 01002BAA Relevance: 15.1, APIs: 10, Instructions: 74fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0100AD40,?,00000000,?,?,01002D2C), ref: 01002BB3
CloseHandle.KERNEL32(?,?,00000000,?,?,01002D2C), ref: 01002BC9
CloseHandle.KERNEL32(?,?,00000000,?,?,01002D2C), ref: 01002BDD
DeleteFileA.KERNEL32(?,?,00000000,?,?,01002D2C), ref: 01002C07
GetLastError.KERNEL32(?,00000000,?,?,01002D2C), ref: 01002C11
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 01002C24
RemoveDirectoryA.KERNEL32(?,?,00000000,?,?,01002D2C), ref: 01002C45
GetLastError.KERNEL32(?,00000000,?,?,01002D2C), ref: 01002C4F
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 01002C62
LeaveCriticalSection.KERNEL32(0100AD40,?,00000000,?,?,01002D2C), ref: 01002C73

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: File$CloseCriticalErrorHandleLastMoveSection$DeleteDirectoryEnterLeaveRemove
String ID:
API String ID: 3032557604-0
Opcode ID: f45af5be708c3c89de8f8f3adb616f87801bd489cf9fcdb4222cadf99aa029c5
Instruction ID: 0efc7d28651c67826502d814eaa7017052815440e70a66dc8bdc948d302d26db
Opcode Fuzzy Hash: f45af5be708c3c89de8f8f3adb616f87801bd489cf9fcdb4222cadf99aa029c5
Instruction Fuzzy Hash: 11219D71700708DBF633AF68DD8DF6A77A9EB04761F144844E6D9A31D0C72AE804CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01003518 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63fileCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(_SFX_CAB_SHUTDOWN_REQUEST,00000000,00000000), ref: 01003523
CreateFileA.KERNEL32(0100AFA0,C0000000,00000003,00000000,00000001,04000002,00000000,0100AD60,$shtdwn$.req,0100AFA0), ref: 01003558
WriteFile.KERNEL32(00000000,0100A5A0,00000314,?,00000000), ref: 010035AF
SetEnvironmentVariableA.KERNEL32(_SFX_CAB_SHUTDOWN_REQUEST,0100AFA0), ref: 010035C5
CloseHandle.KERNEL32 ref: 010035D3

Strings

_SFX_CAB_SHUTDOWN_REQUEST, xrefs: 0100351E, 010035C0
$shtdwn$.req, xrefs: 01003538

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: EnvironmentFileVariable$CloseCreateHandleWrite
String ID: $shtdwn$.req$_SFX_CAB_SHUTDOWN_REQUEST
API String ID: 510931695-2041511661
Opcode ID: 769ac63244933543491d92e018d70e7e4e3654679955ab0ff26f61b7bdd484af
Instruction ID: 53e791ed29e2f42c8e05856b353255c80aa21b7adca10950c7bdaef2ffe456af
Opcode Fuzzy Hash: 769ac63244933543491d92e018d70e7e4e3654679955ab0ff26f61b7bdd484af
Instruction Fuzzy Hash: 5B119D70704308AFF2339B69AC4DB533AADF785766F108229B1C19B1D8D7AB09008721

Uniqueness

Uniqueness Score: -1.00%

Function 010042AF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?), ref: 0100431D
LoadLibraryA.KERNEL32(advapi32.dll), ref: 01004331
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 01004341
GetLastError.KERNEL32 ref: 0100435A

Strings

advapi32.dll, xrefs: 0100432C
DecryptFileA, xrefs: 0100433B

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: AddressAttributesErrorFileLastLibraryLoadProc
String ID: DecryptFileA$advapi32.dll
API String ID: 2627083309-2381948369
Opcode ID: 5e08ba529bd44c45d495a58afa41c96b313d0c43d68bb854fea97fea9a242c61
Instruction ID: e7ba7df359047b9f7d2fb50e6a1e6d3f749257c68305dd57c56863f14651b8a2
Opcode Fuzzy Hash: 5e08ba529bd44c45d495a58afa41c96b313d0c43d68bb854fea97fea9a242c61
Instruction Fuzzy Hash: F021CD3460420AAFEB67DB68DC0CBDA3BE9AB55300F4581A4EAC5D70C0EB74D588CB54

Uniqueness

Uniqueness Score: -1.00%

Function 010031B2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 010031B9
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 010031D2
WriteFile.KERNEL32(?,?,?,00000000), ref: 010031FC
WriteFile.KERNEL32(***,***,?,00000000), ref: 01003223
SetLastError.KERNEL32(?), ref: 01003230

Strings

***, xrefs: 01003202, 0100321B, 0100321C

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: File$ErrorLastWrite$Pointer
String ID: ***
API String ID: 1741213463-1787515470
Opcode ID: bd1a880c0fd74f3e3aaf3f8094edb6d09557a454f4931668243cb4fdc7dc75a6
Instruction ID: dfc371324e643f589e5f525082b63d3a59a36b483f541a5f05082a357a1c6474
Opcode Fuzzy Hash: bd1a880c0fd74f3e3aaf3f8094edb6d09557a454f4931668243cb4fdc7dc75a6
Instruction Fuzzy Hash: 0B1182B5600108BFFB179FA8EC8CCAA3FADEB09204F004165FA8297155D6669D08C760

Uniqueness

Uniqueness Score: -1.00%

Function 01004188 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 010041A6
_stricmp.MSVCRT(00000000,.sys,00000000,01004225,?,?), ref: 010041BA
sprintf.MSVCRT ref: 010041E4
GetFileAttributesA.KERNEL32(?), ref: 010041EE

Strings

.%03u, xrefs: 010041DE
.sys, xrefs: 010041B4

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: AttributesFile_stricmpsprintfstrrchr
String ID: .%03u$.sys
API String ID: 3323407637-674990528
Opcode ID: 93fbbfc65a68c0b8cda7f977bf63784f05957d42985bdb116375dc3f79654125
Instruction ID: d06d3eb33f2d4a6483cad44c5bd68c66838b8727e09e1b8570c4ea300d6ca198
Opcode Fuzzy Hash: 93fbbfc65a68c0b8cda7f977bf63784f05957d42985bdb116375dc3f79654125
Instruction Fuzzy Hash: E00124393043405FF3238B2DAC98AA73BE9EF96621F10416EF3D9C21C6CB2588098365

Uniqueness

Uniqueness Score: -1.00%

Function 010035E6 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 010035F8
LoadStringA.USER32(20000003,?,00000080,?), ref: 0100363F
MessageBoxA.USER32(?,00000000,00010010), ref: 0100365B
DeleteCriticalSection.KERNEL32(0100AD40), ref: 01003679
ExitProcess.KERNEL32 ref: 01003687

Memory Dump Source

Source File: 00000000.00000002.1991137525.0000000001002000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1991109239.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1991158052.000000000101C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_dotNetFx35setup.jbxd

Similarity

API ID: CriticalDeleteErrorExitLastLoadMessageProcessSectionString
String ID:
API String ID: 3880362259-0
Opcode ID: ef2bf3c7fc61280e6320d0fe6a687486d33a2858b9ab59cfd3f589d0d0649fd2
Instruction ID: b7a186db2c960cd8889d754ed03f65134f2ad4744c1360609cd8c44c3cc54c4b
Opcode Fuzzy Hash: ef2bf3c7fc61280e6320d0fe6a687486d33a2858b9ab59cfd3f589d0d0649fd2
Instruction Fuzzy Hash: 15016D31800218EFEB63EB64DC8DBE97BACBB08305F004254FAC0A61C4CB791548CB61

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dotNetFx35setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: dotNetFx35setup.exePID: 4092, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: dotNetFx35setup.exePID: 4092, Parent PID: 1028COMMON

Non-executed Functions

Function 01004BAD Relevance: 155.1, APIs: 77, Strings: 11, Instructions: 1073windowtimestringCOMMON

Function 01004373 Relevance: 67.1, APIs: 30, Strings: 8, Instructions: 609filestringwindowCOMMON

Function 010036BA Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 176synchronizationlibraryshutdownCOMMON

Function 01002858 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 101libraryloaderCOMMON

Function 01005D0B Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 40libraryloadertimeCOMMON

Function 01003A05 Relevance: 10.6, APIs: 7, Instructions: 108memoryCOMMON

Function 01002975 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON

Function 01003341 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39nativeCOMMON

Function 010032B1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54nativeCOMMON

Function 01005D91 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Function 01007F77 Relevance: .3, Instructions: 302COMMON

Function 0100832F Relevance: .3, Instructions: 293COMMON

Function 0100790C Relevance: .3, Instructions: 255COMMON

Function 01007C1C Relevance: .3, Instructions: 254COMMON

Windows Analysis Report
dotNetFx35setup.exe