Edit tour

Windows Analysis Report
Open.EXE

Overview

General Information

Sample name:	Open.EXE
Analysis ID:	1430718
MD5:	71b721a82f1db2747fad1df78e11f2ec
SHA1:	2239279c93ec64d077550d1f7072385d9b9763f3
SHA256:	7f79087dfc16b2b7fdb31c0d15f39fc35eeafe3542a4c81f007d51b8086aecf9
Infos:

Detection

Score:	25
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Opens network shares

Binary contains a suspicious time stamp

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Found evasive API chain checking for process token information

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

Open.EXE (PID: 6792 cmdline: "C:\Users\user\Desktop\Open.EXE" MD5: 71B721A82F1DB2747FAD1DF78E11F2EC)

cmd.exe (PID: 6964 cmdline: cmd /c \\fada-planner\Other\RevitTool\01_ToolList\files\3_PLC\exe\3\Open.cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 6700 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Open.EXE, ProcessId: 6792, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F9830EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,

0_2_00007FF73F9830EC

Source: Open.EXE

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: Open.EXE
Source:	Binary string: wextract.pdbGCTL source: Open.EXE

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F98204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00007FF73F98204C

Source: C:\Users\user\Desktop\Open.EXE	Code function: 0_2_00007FF73F982C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,		0_2_00007FF73F982C54
Source: C:\Users\user\Desktop\Open.EXE	Code function: 0_2_00007FF73F981C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,		0_2_00007FF73F981C0C

Source: C:\Users\user\Desktop\Open.EXE	Code function: 0_2_00007FF73F9866C4	0_2_00007FF73F9866C4
Source: C:\Users\user\Desktop\Open.EXE	Code function: 0_2_00007FF73F9840C4	0_2_00007FF73F9840C4
Source: C:\Users\user\Desktop\Open.EXE	Code function: 0_2_00007FF73F986CA4	0_2_00007FF73F986CA4
Source: C:\Users\user\Desktop\Open.EXE	Code function: 0_2_00007FF73F982DB4	0_2_00007FF73F982DB4
Source: C:\Users\user\Desktop\Open.EXE	Code function: 0_2_00007FF73F981D28	0_2_00007FF73F981D28
Source: C:\Users\user\Desktop\Open.EXE	Code function: 0_2_00007FF73F985D90	0_2_00007FF73F985D90
Source: C:\Users\user\Desktop\Open.EXE	Code function: 0_2_00007FF73F981C0C	0_2_00007FF73F981C0C
Source: C:\Users\user\Desktop\Open.EXE	Code function: 0_2_00007FF73F983530	0_2_00007FF73F983530

Source: Open.EXE

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 165 bytes, 1 file, at 0x2c +A "Open.cmd", ID 756, number 1, 1 datablock, 0x1503 compression

Source: Open.EXE	Binary or memory string: OriginalFilename vs Open.EXE
Source: Open.EXE, 00000000.00000000.1654646480.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE D vs Open.EXE
Source: Open.EXE, 00000000.00000000.1654646480.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Open.EXE
Source: Open.EXE	Binary or memory string: OriginalFilenameWEXTRACT.EXE D vs Open.EXE
Source: Open.EXE	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Open.EXE

Source: classification engine

Classification label: sus25.spyw.winEXE@5/1@0/0

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F986CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_00007FF73F986CA4

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F981C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,

0_2_00007FF73F981C0C

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F9866C4 LocalAlloc,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA,

0_2_00007FF73F9866C4

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F987AC8 FindResourceA,LoadResource,DialogBoxIndirectParamA,FreeResource,

0_2_00007FF73F987AC8

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03

Source: C:\Users\user\Desktop\Open.EXE

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: Open.EXE

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Open.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Source: unknown	Process created: C:\Users\user\Desktop\Open.EXE "C:\Users\user\Desktop\Open.EXE"
Source: C:\Users\user\Desktop\Open.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c \\fada-planner\Other\RevitTool\01_ToolList\files\3_PLC\exe\3\Open.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\Desktop\Open.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c \\fada-planner\Other\RevitTool\01_ToolList\files\3_PLC\exe\3\Open.cmd	Jump to behavior

Source: C:\Users\user\Desktop\Open.EXE	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Section loaded: advpack.dll	Jump to behavior

Source: Open.EXE

Static PE information: Image base 0x140000000 > 0x60000000

Source: Open.EXE	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Open.EXE	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Open.EXE	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Open.EXE	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Open.EXE	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Open.EXE	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Open.EXE

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Open.EXE

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: Open.EXE
Source:	Binary string: wextract.pdbGCTL source: Open.EXE

Source: Open.EXE	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Open.EXE	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Open.EXE	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Open.EXE	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Open.EXE	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Open.EXE

Static PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F9830EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,

0_2_00007FF73F9830EC

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F981684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

0_2_00007FF73F981684

Source: C:\Users\user\Desktop\Open.EXE	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\Open.EXE	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Open.EXE

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-2343

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F98204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00007FF73F98204C

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F9864E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00007FF73F9864E4

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F9830EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,

0_2_00007FF73F9830EC

Source: C:\Users\user\Desktop\Open.EXE	Code function: 0_2_00007FF73F988790 SetUnhandledExceptionFilter,		0_2_00007FF73F988790
Source: C:\Users\user\Desktop\Open.EXE	Code function: 0_2_00007FF73F988494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF73F988494

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F9811CC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

0_2_00007FF73F9811CC

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F988964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF73F988964

Source: C:\Users\user\Desktop\Open.EXE

Code function: 0_2_00007FF73F982C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,

0_2_00007FF73F982C54

Stealing of Sensitive Information

Opens network shares

Source: C:\Windows\System32\cmd.exe

File opened: \\fada-planner\Other\RevitTool\01_ToolList\files\3_PLC\exe\3\

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	1 Process Injection	LSASS Memory	1 System Time Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Rundll32	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Timestomp	NTDS	5 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430718
Start date and time:	2024-04-24 04:59:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Open.EXE
Detection:	SUS
Classification:	sus25.spyw.winEXE@5/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 29 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .EXE

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Process:	C:\Users\user\Desktop\Open.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	67
Entropy (8bit):	4.666470720147067
Encrypted:	false
SSDEEP:	3:IdEBEUoy5n+Aa769pB5QJzd:/BEFy5+Aa+zQd
MD5:	2DC636433B2FD3F8FD682E49C5403E0A
SHA1:	DE568814299574D1ED80A38899199C59B33F2A66
SHA-256:	FEB49D4AF8491B66F779154560D404394396916C0C0C636690FBA21F402EB45A
SHA-512:	7E7F4F24CC0B7561705EF47A8A653C4FEF7391234245255DD1A1A12A2C85ED33C51C6C7A4062FFDEA40E151171EDE73D9525154E9D05CEDE6ED397CDCD0EA268
Malicious:	false
Reputation:	low
Preview:	EXPLORER "\\fada-planner\Other\RevitTool\01_ToolList\files\3_PLC\3"

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.869085505362055
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Open.EXE
File size:	155'136 bytes
MD5:	71b721a82f1db2747fad1df78e11f2ec
SHA1:	2239279c93ec64d077550d1f7072385d9b9763f3
SHA256:	7f79087dfc16b2b7fdb31c0d15f39fc35eeafe3542a4c81f007d51b8086aecf9
SHA512:	bd89c4061b3dfd6cf236af842e5b6f1617198806fe887339ef54e9ad44d69bb32c97744b888a42b85f2b8cc6a08e7dd66ddb4d4eafd1b69ff9e50e64b12582ea
SSDEEP:	3072:eahKyd2n31w5GWp1icKAArDZz4N9GhbkrNEkGXuk:eahOwp0yN90QEn
TLSH:	D7E3AE5A76E420B6D4B983B584E303939A71B8B15B5406FF27D4D97A1E232C4B232F1B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6...7...6...7...6...7...6...7...6...6...6...7...6..o6...6...7...6Rich...6................PE..d................."

File Icon


Icon Hash:	3b6120282c4c5a1f

Static PE Info

General

Entrypoint:	0x140008200
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	4cea7ae85c87ddc7295d39ff9cda31d1

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FBBE88FEED0h
dec eax
add esp, 28h
jmp 00007FBBE88FE77Bh
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], edi
inc ecx
push esi
dec eax
sub esp, 000000B0h
and dword ptr [esp+20h], 00000000h
dec eax
lea ecx, dword ptr [esp+40h]
call dword ptr [000011CDh]
nop
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ebx, dword ptr [eax+08h]
xor edi, edi
xor eax, eax
dec eax
cmpxchg dword ptr [00004922h], ebx
je 00007FBBE88FE77Ch
dec eax
cmp eax, ebx
jne 00007FBBE88FE78Ch
mov edi, 00000001h
mov eax, dword ptr [00004918h]
cmp eax, 01h
jne 00007FBBE88FE789h
lea ecx, dword ptr [eax+1Eh]
call 00007FBBE88FED63h
jmp 00007FBBE88FE7ECh
mov ecx, 000003E8h
call dword ptr [0000117Eh]
jmp 00007FBBE88FE739h
mov eax, dword ptr [000048F6h]
test eax, eax
jne 00007FBBE88FE7CBh
mov dword ptr [000048E8h], 00000001h
dec esp
lea esi, dword ptr [000013E9h]
dec eax
lea ebx, dword ptr [000013CAh]
dec eax
mov dword ptr [esp+30h], ebx
mov dword ptr [esp+24h], eax
dec ecx
cmp ebx, esi
jnc 00007FBBE88FE797h
test eax, eax
jne 00007FBBE88FE797h
dec eax
cmp dword ptr [ebx], 00000000h
je 00007FBBE88FE782h
dec eax
mov eax, dword ptr [ebx]
dec eax
mov ecx, dword ptr [00001388h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa23c	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0x1ade8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0x408	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a000	0x20	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9a10	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9010	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9128	0x520	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7b80	0x7c00	60800deac1fde21b98089f2241ee6168	False	0.5499936995967742	data	6.096261782871538	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x22c8	0x2400	59d15cdf89780817c3d48dd588a6a129	False	0.4136284722222222	data	4.727841929207054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x1f00	0x400	9d1580dccaf8e787a43caf4bba48a079	False	0.3212890625	data	3.1889769845125677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xe000	0x408	0x600	15cd12257317071f28e4f7b728f8825e	False	0.3932291666666667	data	3.1563665040475675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xf000	0x1b000	0x1ae00	131d4271ea11e905f7f5ba7a1914c86f	False	0.7354106104651162	data	7.083828180525212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2a000	0x20	0x200	637787151ee546a94902de9694a58fd6	False	0.083984375	data	0.4068473715812382	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AVI	0xfa10	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States	0.2713099474665311
RT_ICON	0x1282c	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3225609756097561
RT_ICON	0x12e94	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.41263440860215056
RT_ICON	0x1317c	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4569672131147541
RT_ICON	0x13364	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5574324324324325
RT_ICON	0x1348c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6223347547974414
RT_ICON	0x14334	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7369133574007221
RT_ICON	0x14bdc	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.783410138248848
RT_ICON	0x152a4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3829479768786127
RT_ICON	0x1580c	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004662673505254
RT_ICON	0x231e0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5300829875518672
RT_ICON	0x25788	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6137429643527205
RT_ICON	0x26830	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.703688524590164
RT_ICON	0x271b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.425531914893617
RT_DIALOG	0x27620	0x1e2	data	Japanese	Japan	0.6037344398340249
RT_DIALOG	0x27804	0x146	data	Japanese	Japan	0.6840490797546013
RT_DIALOG	0x2794c	0x13e	data	Japanese	Japan	0.5880503144654088
RT_DIALOG	0x27a8c	0x194	data	Japanese	Japan	0.6386138613861386
RT_DIALOG	0x27c20	0x102	data	Japanese	Japan	0.6434108527131783
RT_DIALOG	0x27d24	0xea	data	Japanese	Japan	0.6324786324786325
RT_STRING	0x27e10	0x5e	Matlab v4 mat-file (little endian) \213\225U0\2140_0\3250\2410\2440\3530\2220\335OX[Y0\2130\3250\2510\3530\3000\3740\2220x\220\236bW0f0O0`0U0D0\0020\002, numeric, rows 0, columns 0	Japanese	Japan	0.8191489361702128
RT_STRING	0x27e70	0x2ec	data	Japanese	Japan	0.6377005347593583
RT_STRING	0x2815c	0x3b6	data	Japanese	Japan	0.5652631578947368
RT_STRING	0x28514	0x2d6	data	Japanese	Japan	0.6033057851239669
RT_STRING	0x287ec	0x282	data	Japanese	Japan	0.6557632398753894
RT_STRING	0x28a70	0x1be	data	Japanese	Japan	0.6165919282511211
RT_RCDATA	0x28c30	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x28c38	0xa5	Microsoft Cabinet archive data, Windows 2000/XP setup, 165 bytes, 1 file, at 0x2c +A "Open.cmd", ID 756, number 1, 1 datablock, 0x1503 compression	Japanese	Japan	0.8787878787878788
RT_RCDATA	0x28ce0	0x4	data	Japanese	Japan	3.0
RT_RCDATA	0x28ce4	0x24	data	Japanese	Japan	0.8888888888888888
RT_RCDATA	0x28d08	0x7	ASCII text, with no line terminators	Japanese	Japan	2.142857142857143
RT_RCDATA	0x28d10	0x7	ASCII text, with no line terminators	Japanese	Japan	2.142857142857143
RT_RCDATA	0x28d18	0x4	data	Japanese	Japan	3.0
RT_RCDATA	0x28d1c	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x28d24	0x4	data	Japanese	Japan	3.0
RT_RCDATA	0x28d28	0x4d	ASCII text, with no line terminators	English	United States	1.051948051948052
RT_RCDATA	0x28d78	0x4	data	Japanese	Japan	3.0
RT_RCDATA	0x28d7c	0x5	ASCII text, with no line terminators	Japanese	Japan	2.6
RT_RCDATA	0x28d84	0x7	ASCII text, with no line terminators	Japanese	Japan	2.142857142857143
RT_RCDATA	0x28d8c	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_GROUP_ICON	0x28d94	0xbc	data	English	United States	0.6117021276595744
RT_VERSION	0x28e50	0x400	data	English	United States	0.416015625
RT_VERSION	0x29250	0x3b0	data	Japanese	Japan	0.4936440677966102
RT_MANIFEST	0x29600	0x7e6	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.37734915924826906

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
GDI32.dll	GetDeviceCaps
USER32.dll	ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
msvcrt.dll	?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
COMCTL32.dll
Cabinet.dll
VERSION.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Japanese	Japan

Target ID:	0
Start time:	04:59:56
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\Open.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Open.EXE"
Imagebase:	0x7ff73f980000
File size:	155'136 bytes
MD5 hash:	71B721A82F1DB2747FAD1DF78E11F2EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:59:56
Start date:	24/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c \\fada-planner\Other\RevitTool\01_ToolList\files\3_PLC\exe\3\Open.cmd
Imagebase:	0x7ff60b1e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:59:56
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:00:06
Start date:	24/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Imagebase:	0x7ff6e5820000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	31.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	41.2%
Total number of Nodes:	928
Total number of Limit Nodes:	42

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF73F9840C4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 371
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF73F984154
CompareStringA.KERNEL32 ref: 00007FF73F98421B

Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F985078
Part of subcall function 00007FF73F985050: SizeofResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F985089
Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F9850AF
Part of subcall function 00007FF73F985050: LoadResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850C0
Part of subcall function 00007FF73F985050: LockResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850CF
Part of subcall function 00007FF73F985050: memcpy_s.MSVCRT ref: 00007FF73F9850EE
Part of subcall function 00007FF73F985050: FreeResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850FD

CompareStringA.KERNEL32 ref: 00007FF73F984313
GetProcAddress.KERNEL32 ref: 00007FF73F9843AF
FreeLibrary.KERNEL32 ref: 00007FF73F984480
LocalFree.KERNEL32 ref: 00007FF73F9844B0
FreeLibrary.KERNEL32 ref: 00007FF73F9844D3
LocalFree.KERNEL32 ref: 00007FF73F9844E2

Strings

SHOWWINDOW, xrefs: 00007FF73F984178
wextract_cleanup0, xrefs: 00007FF73F984636, 00007FF73F9846F9
<None>, xrefs: 00007FF73F9841FD, 00007FF73F9842F5
POSTRUNPROGRAM, xrefs: 00007FF73F9842D4
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF73F9843E6, 00007FF73F9846B3
advpack.dll, xrefs: 00007FF73F984579
Open, xrefs: 00007FF73F9843CE
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00007FF73F9846C9
USRQCMD, xrefs: 00007FF73F9841E3
REBOOT, xrefs: 00007FF73F984123
DoInfInstall, xrefs: 00007FF73F9843A5, 00007FF73F984526
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF73F984605
RUNPROGRAM, xrefs: 00007FF73F984244
ADMQCMD, xrefs: 00007FF73F9841D2

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$Open$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 2679723528-1204618267
Opcode ID: 0c4c091c83e196b5ae14768e43b06ee368c2eb7d1cf369b03675d16fd48c86c9
Instruction ID: 73543dfb7650e3c86fbea017848df8c77e93a19b6dda32b9e5fd28481f0e08ba
Opcode Fuzzy Hash: 0c4c091c83e196b5ae14768e43b06ee368c2eb7d1cf369b03675d16fd48c86c9
Instruction Fuzzy Hash: 230250B1A086C2A6E728AB24E8405F9BBA4FF957C4FD40136DA4E8365CDF3DD544E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F981D28 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 183
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF73F981D6A
memset.MSVCRT ref: 00007FF73F981D78
RegCreateKeyExA.KERNELBASE ref: 00007FF73F981DBA

Part of subcall function 00007FF73F98114C: _vsnprintf.MSVCRT ref: 00007FF73F981189

RegQueryValueExA.KERNELBASE ref: 00007FF73F981E0F
RegCloseKey.ADVAPI32 ref: 00007FF73F981E2E
GetSystemDirectoryA.KERNEL32 ref: 00007FF73F981E4C
LoadLibraryA.KERNELBASE ref: 00007FF73F981E6E
GetProcAddress.KERNEL32 ref: 00007FF73F981E90
FreeLibrary.KERNELBASE ref: 00007FF73F981EA9
GetSystemDirectoryA.KERNEL32 ref: 00007FF73F981EC5
LocalAlloc.KERNEL32 ref: 00007FF73F981F21
GetModuleFileNameA.KERNEL32 ref: 00007FF73F981F64
RegCloseKey.ADVAPI32 ref: 00007FF73F981F7D
RegSetValueExA.KERNELBASE ref: 00007FF73F981FED
RegCloseKey.KERNELBASE ref: 00007FF73F981FFE
LocalFree.KERNEL32 ref: 00007FF73F98200D

Strings

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00007FF73F981FAE
wextract_cleanup0, xrefs: 00007FF73F981DE2, 00007FF73F981DFD, 00007FF73F981FD2
%s /D:%s, xrefs: 00007FF73F981F99
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF73F981D8A
DelNodeRunDLL32, xrefs: 00007FF73F981E86
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF73F981EEC
advpack.dll, xrefs: 00007FF73F981E58
wextract_cleanup%d, xrefs: 00007FF73F981DD6

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 178549006-3726664654
Opcode ID: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
Instruction ID: 5e3d4d18151062354756fcab6202646b3c06743d55bcc3477a4af2d675a77a4a
Opcode Fuzzy Hash: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
Instruction Fuzzy Hash: AC814DB2A08AC5A6EB14AF11E8402F9FBA4FB89B94F845131DA4E8375CDF3CE145D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F981684 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 350
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringA.KERNEL32 ref: 00007FF73F981838
GetFileAttributesA.KERNEL32 ref: 00007FF73F981852
LocalAlloc.KERNEL32 ref: 00007FF73F9818BF
GetPrivateProfileIntA.KERNEL32 ref: 00007FF73F9818FC
GetPrivateProfileStringA.KERNEL32 ref: 00007FF73F98193F
GetShortPathNameA.KERNEL32 ref: 00007FF73F9819AC

Part of subcall function 00007FF73F984DCC: LoadStringA.USER32 ref: 00007FF73F984E60
Part of subcall function 00007FF73F984DCC: MessageBoxA.USER32 ref: 00007FF73F984EA0

Strings

Command.com /c %s, xrefs: 00007FF73F981A60
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00007FF73F9819CE
.BAT, xrefs: 00007FF73F981A31
setupapi.dll, xrefs: 00007FF73F9819BA
DefaultInstall, xrefs: 00007FF73F9818DC
Version, xrefs: 00007FF73F981930
.INF, xrefs: 00007FF73F98181A
setupx.dll, xrefs: 00007FF73F9819A5
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF73F9817B0
AdvancedINF, xrefs: 00007FF73F981929
Reboot, xrefs: 00007FF73F9818EB

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: .BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-3544074861
Opcode ID: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
Instruction ID: f179eb5dfd7f8e12c7b5d3d33875b18b187cd4b3126bc44c63609809dc4b6405
Opcode Fuzzy Hash: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
Instruction Fuzzy Hash: 26E1AFA2A087C2A5EB19AF10E4402F9B7A4EB45BC4FD44136DA4D8379DDF3DE589D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9866C4 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F985078
Part of subcall function 00007FF73F985050: SizeofResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F985089
Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F9850AF
Part of subcall function 00007FF73F985050: LoadResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850C0
Part of subcall function 00007FF73F985050: LockResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850CF
Part of subcall function 00007FF73F985050: memcpy_s.MSVCRT ref: 00007FF73F9850EE
Part of subcall function 00007FF73F985050: FreeResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850FD

LocalAlloc.KERNEL32 ref: 00007FF73F986710
lstrcmpA.KERNEL32 ref: 00007FF73F9867AF
LocalFree.KERNEL32 ref: 00007FF73F9867D6
LocalFree.KERNEL32 ref: 00007FF73F98678D

Part of subcall function 00007FF73F984DCC: LoadStringA.USER32 ref: 00007FF73F984E60
Part of subcall function 00007FF73F984DCC: MessageBoxA.USER32 ref: 00007FF73F984EA0

Part of subcall function 00007FF73F987700: GetLastError.KERNEL32 ref: 00007FF73F987704

GetTempPathA.KERNELBASE ref: 00007FF73F986862
GetDriveTypeA.KERNEL32 ref: 00007FF73F9868FE
GetFileAttributesA.KERNEL32 ref: 00007FF73F98691B
GetDiskFreeSpaceA.KERNEL32 ref: 00007FF73F986973
MulDiv.KERNEL32 ref: 00007FF73F986996
GetWindowsDirectoryA.KERNEL32 ref: 00007FF73F986A0A
GetFileAttributesA.KERNEL32 ref: 00007FF73F986A2F
CreateDirectoryA.KERNEL32 ref: 00007FF73F986A47
SetFileAttributesA.KERNEL32 ref: 00007FF73F986A77
GetWindowsDirectoryA.KERNEL32 ref: 00007FF73F986AE3

Part of subcall function 00007FF73F987AC8: FindResourceA.KERNEL32 ref: 00007FF73F987AF2
Part of subcall function 00007FF73F987AC8: LoadResource.KERNEL32 ref: 00007FF73F987B09
Part of subcall function 00007FF73F987AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF73F987B3F
Part of subcall function 00007FF73F987AC8: FreeResource.KERNEL32 ref: 00007FF73F987B51

Strings

Z, xrefs: 00007FF73F9868EE
msdownld.tmp, xrefs: 00007FF73F986A16
<None>, xrefs: 00007FF73F9867A5
RUNPROGRAM, xrefs: 00007FF73F9866F8, 00007FF73F986759
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF73F98684F
A:\, xrefs: 00007FF73F9868AD

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 3973824516-2740620654
Opcode ID: 2d8e839b3a043200ffa940665c8789ad88760caaed9a3537215d82f6b3617662
Instruction ID: bf8cfc17573a277c09991112062c6263d6dc3b1ad65994c6ade6dcf5addc1715
Opcode Fuzzy Hash: 2d8e839b3a043200ffa940665c8789ad88760caaed9a3537215d82f6b3617662
Instruction Fuzzy Hash: E1D1B2A2A186C6A6EB18AF20D4106FAF7A1FB857C4FD04035DA4E8769DDF3DD805D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F982DB4 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 179
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF73F982E08
memset.MSVCRT ref: 00007FF73F982E1C

Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F985078
Part of subcall function 00007FF73F985050: SizeofResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F985089
Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F9850AF
Part of subcall function 00007FF73F985050: LoadResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850C0
Part of subcall function 00007FF73F985050: LockResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850CF
Part of subcall function 00007FF73F985050: memcpy_s.MSVCRT ref: 00007FF73F9850EE
Part of subcall function 00007FF73F985050: FreeResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850FD

CreateEventA.KERNEL32 ref: 00007FF73F982E59
SetEvent.KERNEL32 ref: 00007FF73F982E6F
CreateMutexA.KERNEL32 ref: 00007FF73F982F06
GetLastError.KERNEL32 ref: 00007FF73F982F22
FindResourceA.KERNEL32 ref: 00007FF73F982FEE
LoadResource.KERNEL32 ref: 00007FF73F983005

Part of subcall function 00007FF73F983BF4: GetVersionExA.KERNEL32 ref: 00007FF73F983C3F

#17.COMCTL32 ref: 00007FF73F98301D
CloseHandle.KERNEL32 ref: 00007FF73F982F88

Part of subcall function 00007FF73F984DCC: LoadStringA.USER32 ref: 00007FF73F984E60
Part of subcall function 00007FF73F984DCC: MessageBoxA.USER32 ref: 00007FF73F984EA0

Strings

INSTANCECHECK, xrefs: 00007FF73F982EE0
VERCHECK, xrefs: 00007FF73F982FE4
Open, xrefs: 00007FF73F982E30, 00007FF73F982F38
EXTRACTOPT, xrefs: 00007FF73F982E86
TITLE, xrefs: 00007FF73F982E37
, xrefs: 00007FF73F982F6F

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
String ID: $EXTRACTOPT$INSTANCECHECK$Open$TITLE$VERCHECK
API String ID: 3100096412-1926350809
Opcode ID: f21eaf2065c6241e7a519f3bddc1b5d75266ef9fda77f4a4b915c60b794fde5a
Instruction ID: 71e0a342a3f96e240fcb4fb4f8c4e8b1afb8c09a9c5792ea832e70400989b328
Opcode Fuzzy Hash: f21eaf2065c6241e7a519f3bddc1b5d75266ef9fda77f4a4b915c60b794fde5a
Instruction Fuzzy Hash: BE815EE1A186C3A6F728BB11E4007F9E690AF897D4FD04036D94EC669DCF7CA405EA20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F986CA4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32 ref: 00007FF73F986CEE
SetCurrentDirectoryA.KERNELBASE ref: 00007FF73F986CFD
GetDiskFreeSpaceA.KERNELBASE ref: 00007FF73F986D6C
MulDiv.KERNEL32 ref: 00007FF73F986D98
GetVolumeInformationA.KERNELBASE ref: 00007FF73F986DD6
memset.MSVCRT ref: 00007FF73F986DF4
GetLastError.KERNEL32 ref: 00007FF73F986E04
FormatMessageA.KERNEL32 ref: 00007FF73F986E2F
SetCurrentDirectoryA.KERNEL32 ref: 00007FF73F986FDD

Part of subcall function 00007FF73F984DCC: LoadStringA.USER32 ref: 00007FF73F984E60
Part of subcall function 00007FF73F984DCC: MessageBoxA.USER32 ref: 00007FF73F984EA0

Part of subcall function 00007FF73F987700: GetLastError.KERNEL32 ref: 00007FF73F987704

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF73F986CBA

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 4237285672-305352358
Opcode ID: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
Instruction ID: 25443228a86fe5f6510f63806889362b77f14ef0c71bdb52c67f1a50e5323f53
Opcode Fuzzy Hash: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
Instruction Fuzzy Hash: 57A193B6A1878596E724AF21E4406EAFBA5FB89784F804135DA4E87B5CCF3CD409DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F985D90 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F985078
Part of subcall function 00007FF73F985050: SizeofResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F985089
Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F9850AF
Part of subcall function 00007FF73F985050: LoadResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850C0
Part of subcall function 00007FF73F985050: LockResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850CF
Part of subcall function 00007FF73F985050: memcpy_s.MSVCRT ref: 00007FF73F9850EE
Part of subcall function 00007FF73F985050: FreeResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850FD

FindResourceA.KERNEL32 ref: 00007FF73F985DC0
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF73F983300), ref: 00007FF73F985DD1
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF73F983300), ref: 00007FF73F985DE0
GetDlgItem.USER32 ref: 00007FF73F985E0D
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF73F983300), ref: 00007FF73F985E1E
GetDlgItem.USER32 ref: 00007FF73F985E36
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000000,00007FF73F983300), ref: 00007FF73F985E4A
#20.CABINET ref: 00007FF73F985EBD
#22.CABINET ref: 00007FF73F985F03
#23.CABINET ref: 00007FF73F985F18
FreeResource.KERNEL32 ref: 00007FF73F985F61
SendMessageA.USER32 ref: 00007FF73F985FC3

Strings

*MEMCAB, xrefs: 00007FF73F985EF4
CABINET, xrefs: 00007FF73F985D9D, 00007FF73F985DB7

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: f882a7c50b35efb5f215cde0c72f03eaf3176b93dc19dac94f7000cee1ca45cb
Instruction ID: 7076bd195e217f304daa16d6a7f19c3ebb1e4ad6f05a14daf7836c674dd35674
Opcode Fuzzy Hash: f882a7c50b35efb5f215cde0c72f03eaf3176b93dc19dac94f7000cee1ca45cb
Instruction Fuzzy Hash: D951FDB1A08B82A6EB18AB11E8547F5F7A4FF89B95FC44136D94E8265CDF3CD008D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9830EC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF73F983167
LoadLibraryA.KERNEL32 ref: 00007FF73F98318B
GetProcAddress.KERNEL32 ref: 00007FF73F9831A9
DecryptFileA.ADVAPI32 ref: 00007FF73F9831C3
FreeLibrary.KERNEL32 ref: 00007FF73F9831CC
GetWindowsDirectoryA.KERNEL32 ref: 00007FF73F9831FD

Part of subcall function 00007FF73F9860A4: LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF73F983123), ref: 00007FF73F9860C9

Strings

advapi32.dll, xrefs: 00007FF73F983173
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF73F9831BC, 00007FF73F983273
DecryptFileA, xrefs: 00007FF73F98319F

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 3010855178-1173327654
Opcode ID: 1b568c9d80e1c16c25a8832b7560ad1fe553b1887f492639f14b46a0c907384f
Instruction ID: 3a65a7df9c2c8870f5378c3e16b879735ccb22739c3961b362ee4bca02bd8d21
Opcode Fuzzy Hash: 1b568c9d80e1c16c25a8832b7560ad1fe553b1887f492639f14b46a0c907384f
Instruction Fuzzy Hash: 797132E1E0C6C3A5FB69BB11E840AF5E695AF987D0FC04036D94EC269DDF2CE445E620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9864E4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF73F982CE1), ref: 00007FF73F98657C
CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF73F982CE1), ref: 00007FF73F98662F
RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF73F982CE1), ref: 00007FF73F98666F

Part of subcall function 00007FF73F9863B8: RemoveDirectoryA.KERNELBASE(0000000A,00007FF73F982CE1), ref: 00007FF73F986423
Part of subcall function 00007FF73F9863B8: GetFileAttributesA.KERNELBASE ref: 00007FF73F986432
Part of subcall function 00007FF73F9863B8: GetTempFileNameA.KERNEL32 ref: 00007FF73F98645B
Part of subcall function 00007FF73F9863B8: DeleteFileA.KERNEL32 ref: 00007FF73F986473
Part of subcall function 00007FF73F9863B8: CreateDirectoryA.KERNEL32 ref: 00007FF73F986484

Strings

mips, xrefs: 00007FF73F9865B2
alpha, xrefs: 00007FF73F9865A9
i386, xrefs: 00007FF73F9865BB
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF73F986528, 00007FF73F9865DF
ppc, xrefs: 00007FF73F9865A0

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-3374052426
Opcode ID: 46ce37abadc5027e1bb67ef9580c9553c9e3bc3d3873299fa6b8c7dc3ad8012b
Instruction ID: eb4afa9a9c4759a025adc848a0b4593f1658dbee93c32044ab21c921123dc171
Opcode Fuzzy Hash: 46ce37abadc5027e1bb67ef9580c9553c9e3bc3d3873299fa6b8c7dc3ad8012b
Instruction Fuzzy Hash: C35175E1E0D6C6A1FB59AB15E8102F9E7A4AF44BC0FD44135C94EC669DDF3DE804E620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F982C54 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84
libraryloadershutdownCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00007FF73F982C69
GetModuleHandleW.KERNEL32 ref: 00007FF73F982C86
GetProcAddress.KERNEL32 ref: 00007FF73F982CA1
ExitWindowsEx.USER32 ref: 00007FF73F982D6C
CloseHandle.KERNEL32 ref: 00007FF73F982D8B

Strings

HeapSetInformation, xrefs: 00007FF73F982C97
@, xrefs: 00007FF73F982D45
Kernel32.dll, xrefs: 00007FF73F982C7F

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Handle$AddressCloseExitModuleProcVersionWindows
String ID: @$HeapSetInformation$Kernel32.dll
API String ID: 1302179841-1204263913
Opcode ID: d0bfb26a70778e8c6dce021e27be85d7a0cec3bff586eb98b8bfca0f5ba54e91
Instruction ID: 71bbae0d1b9860d99cbf7f312736b1baa5a59ae1ed58ad22a9105d2621226d53
Opcode Fuzzy Hash: d0bfb26a70778e8c6dce021e27be85d7a0cec3bff586eb98b8bfca0f5ba54e91
Instruction Fuzzy Hash: FD312FA1A086C2AAFB6C7B10E4446F5EA90AF55BD0FC44135D90E8669DCF6DE444A630

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F98204C Relevance: 12.1, APIs: 8, Instructions: 119filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE ref: 00007FF73F9820E5
lstrcmpA.KERNEL32 ref: 00007FF73F982144
lstrcmpA.KERNEL32 ref: 00007FF73F982164
SetFileAttributesA.KERNEL32 ref: 00007FF73F9821BD
DeleteFileA.KERNEL32 ref: 00007FF73F9821CD
FindNextFileA.KERNELBASE ref: 00007FF73F9821E1
FindClose.KERNELBASE ref: 00007FF73F9821F8
RemoveDirectoryA.KERNELBASE ref: 00007FF73F982207

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
Instruction ID: 4c1aec0dc7129cbec8b7a30531ef3c46df50d25ba5d6b2c744aae2e9e625b0ec
Opcode Fuzzy Hash: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
Instruction Fuzzy Hash: 5C516DB2608BC5A5EB15AF20D8402E8ABA1FB45BC4FC48171DA4E8769DDF3CD509D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F987AC8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF73F987AF2
LoadResource.KERNEL32 ref: 00007FF73F987B09
DialogBoxIndirectParamA.USER32 ref: 00007FF73F987B3F
FreeResource.KERNEL32 ref: 00007FF73F987B51

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: 49aab33a39cc72be79b49f501bba61147af0a043aada8a8b069909c25daef280
Instruction ID: 19761fbcda4cb6fe4d2e63b8cc2b7ef169335613001ee404d1db18136351d7d3
Opcode Fuzzy Hash: 49aab33a39cc72be79b49f501bba61147af0a043aada8a8b069909c25daef280
Instruction Fuzzy Hash: 4C118171A08B8192EB149B11F8002A9FAA1FB89FE0F884735DE5E43B9CDF3CD0409B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F983910 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 119
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNELBASE ref: 00007FF73F983964
ResetEvent.KERNEL32 ref: 00007FF73F98398C
SetEvent.KERNEL32 ref: 00007FF73F9839D3
GetDesktopWindow.USER32 ref: 00007FF73F983A18
GetDlgItem.USER32 ref: 00007FF73F983A42
SendMessageA.USER32 ref: 00007FF73F983A5F
GetDlgItem.USER32 ref: 00007FF73F983A70
SendMessageA.USER32 ref: 00007FF73F983A8F
SetWindowTextA.USER32 ref: 00007FF73F983AA5
CreateThread.KERNELBASE ref: 00007FF73F983AD0
EndDialog.USER32 ref: 00007FF73F983B1A

Strings

, xrefs: 00007FF73F9839B6
Open, xrefs: 00007FF73F983A9B

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
String ID: $Open
API String ID: 2654313074-2804539095
Opcode ID: 00a4735194eecac90b7f23e95863fe14a5468c5ab709964e4691a7869e5d0189
Instruction ID: 422ecb5eb56a717bf4a37e3110a9b3e49c71af5f0790530196bbdaa10d5fc0e3
Opcode Fuzzy Hash: 00a4735194eecac90b7f23e95863fe14a5468c5ab709964e4691a7869e5d0189
Instruction Fuzzy Hash: 0F5178B1A086C2D6E7586B11E4446F9FA91FB89BD5F849231C91E83B9CCF3C9045D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9861EC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNELBASE ref: 00007FF73F986231
DeleteFileA.KERNELBASE ref: 00007FF73F986240
LocalFree.KERNEL32 ref: 00007FF73F986253
LocalFree.KERNEL32 ref: 00007FF73F986262
SetCurrentDirectoryA.KERNELBASE ref: 00007FF73F9862FB
RegOpenKeyExA.KERNELBASE ref: 00007FF73F98634E
RegDeleteValueA.KERNELBASE ref: 00007FF73F98636A
RegCloseKey.ADVAPI32 ref: 00007FF73F98637B

Strings

wextract_cleanup0, xrefs: 00007FF73F986363
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00007FF73F986340
C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF73F98629C

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 3049360512-3137473940
Opcode ID: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
Instruction ID: 32ca6ca5cebf6d5107e0082290228e41159dc3ecdac12c8446a2f5b328f107da
Opcode Fuzzy Hash: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
Instruction Fuzzy Hash: 8B5111A1A086C6A6EB19AB14E4443F9B7A0FB45BC5FC44171D64EC769DCF2CE848D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F98473C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FF73F9847AE
WaitForSingleObject.KERNEL32 ref: 00007FF73F9847CA
GetExitCodeProcess.KERNELBASE ref: 00007FF73F9847E0
CloseHandle.KERNEL32 ref: 00007FF73F984881
CloseHandle.KERNEL32 ref: 00007FF73F984892
GetLastError.KERNEL32 ref: 00007FF73F9848BE
FormatMessageA.KERNEL32 ref: 00007FF73F9848EF

Strings

, xrefs: 00007FF73F98479C

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-3916222277
Opcode ID: 98467f424fe36bd15bb507385cdbd18d0c765d323d878b3b0929ff50d27d6618
Instruction ID: 78e0eaeceb6082a07387d8ced480c52289ebaac752b0c6345a7c600c0c0b051c
Opcode Fuzzy Hash: 98467f424fe36bd15bb507385cdbd18d0c765d323d878b3b0929ff50d27d6618
Instruction Fuzzy Hash: DC517CB29086C1D6F768AB14E4447F9F6A0FF88794F804136EA4E826ADCF7CD444DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F982318 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00007FF73F98236D
RegQueryValueExA.KERNELBASE ref: 00007FF73F98239C
RegCloseKey.ADVAPI32 ref: 00007FF73F9823B7
RegOpenKeyExA.ADVAPI32 ref: 00007FF73F9823EE
RegQueryInfoKeyA.ADVAPI32 ref: 00007FF73F982436

Strings

System\CurrentControlSet\Control\Session Manager, xrefs: 00007FF73F98235F
System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00007FF73F9823E0
PendingFileRenameOperations, xrefs: 00007FF73F98238A

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: OpenQuery$CloseInfoValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2209512893-559176071
Opcode ID: 9f23079a79aaf393f30d7d52ead263bb4ecc079f7f4d037dad90965ff67e785b
Instruction ID: f120063a72a4a169442dd504ca0b760232044e3ae7463f5d7fca11f07611ff0b
Opcode Fuzzy Hash: 9f23079a79aaf393f30d7d52ead263bb4ecc079f7f4d037dad90965ff67e785b
Instruction Fuzzy Hash: 61316F72608B81DAD7249F24F8506E9FBA4FB89B94F844535E64D83B5CDF38D150DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9863B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73F98114C: _vsnprintf.MSVCRT ref: 00007FF73F981189

RemoveDirectoryA.KERNELBASE(0000000A,00007FF73F982CE1), ref: 00007FF73F986423
GetFileAttributesA.KERNELBASE ref: 00007FF73F986432
GetTempFileNameA.KERNEL32 ref: 00007FF73F98645B
DeleteFileA.KERNEL32 ref: 00007FF73F986473
CreateDirectoryA.KERNEL32 ref: 00007FF73F986484
CreateDirectoryA.KERNELBASE ref: 00007FF73F9864BB

Strings

IXP%03d.TMP, xrefs: 00007FF73F9863E6
IXP, xrefs: 00007FF73F98644E

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: IXP$IXP%03d.TMP
API String ID: 1082909758-3932986939
Opcode ID: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
Instruction ID: 0fa95268ffcdaad6a3c0bc991e43a1a3fc89f430d93f65b1b917d5bcbd99a204
Opcode Fuzzy Hash: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
Instruction Fuzzy Hash: 75214FB16089C1A6F718AB26E9503F9E691EB8ABC0F848130DD4E877ADCF3CD445D610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F988200 Relevance: 12.1, APIs: 8, Instructions: 136sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73F988964: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF73F988994
Part of subcall function 00007FF73F988964: GetCurrentProcessId.KERNEL32 ref: 00007FF73F9889A2
Part of subcall function 00007FF73F988964: GetCurrentThreadId.KERNEL32 ref: 00007FF73F9889AE
Part of subcall function 00007FF73F988964: GetTickCount.KERNEL32 ref: 00007FF73F9889BA
Part of subcall function 00007FF73F988964: GetTickCount.KERNEL32 ref: 00007FF73F9889CA
Part of subcall function 00007FF73F988964: QueryPerformanceCounter.KERNEL32 ref: 00007FF73F9889E5

GetStartupInfoW.KERNEL32 ref: 00007FF73F988235
_amsg_exit.MSVCRT ref: 00007FF73F988270
Sleep.KERNEL32 ref: 00007FF73F98827C
_initterm.MSVCRT ref: 00007FF73F98830A
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF73F988337
exit.KERNELBASE ref: 00007FF73F9883C9
_cexit.MSVCRT ref: 00007FF73F9883D8
_ismbblead.MSVCRT ref: 00007FF73F9883F8

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
String ID:
API String ID: 2995914023-0
Opcode ID: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
Instruction ID: 20ead58cb8d3edd3430ac02648bf5f7505707a8d737f20398d5f65571eda8715
Opcode Fuzzy Hash: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
Instruction Fuzzy Hash: AE511BB1908AC2A6E768AB21E9543F9A2E4FB447D4FD80075D94DC369DDF3CE841E630

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9860A4 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F985078
Part of subcall function 00007FF73F985050: SizeofResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F985089
Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F9850AF
Part of subcall function 00007FF73F985050: LoadResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850C0
Part of subcall function 00007FF73F985050: LockResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850CF
Part of subcall function 00007FF73F985050: memcpy_s.MSVCRT ref: 00007FF73F9850EE
Part of subcall function 00007FF73F985050: FreeResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850FD

LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF73F983123), ref: 00007FF73F9860C9
LocalFree.KERNEL32 ref: 00007FF73F986142

Part of subcall function 00007FF73F984DCC: LoadStringA.USER32 ref: 00007FF73F984E60
Part of subcall function 00007FF73F984DCC: MessageBoxA.USER32 ref: 00007FF73F984EA0

Part of subcall function 00007FF73F987700: GetLastError.KERNEL32 ref: 00007FF73F987704

Strings

, xrefs: 00007FF73F986198
<None>, xrefs: 00007FF73F98615A
UPROMPT, xrefs: 00007FF73F9860B1, 00007FF73F98610E

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: $<None>$UPROMPT
API String ID: 957408736-2569542085
Opcode ID: 3f9fe5337bcce2b93c7e77de5b04aed7ad53957daffb592c1919ade272611d49
Instruction ID: 71c56aadc3581e1bceb783b96b80ed8caaea825d1f6072c530f2b66ddd0bdf41
Opcode Fuzzy Hash: 3f9fe5337bcce2b93c7e77de5b04aed7ad53957daffb592c1919ade272611d49
Instruction Fuzzy Hash: 663164F1A0C682A7F7286B20E5507FAFA51EF85BD4F804135DA0E8669DDF7DE4049B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F985380 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164filestringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32 ref: 00007FF73F985407
CreateFileA.KERNELBASE ref: 00007FF73F9854C5
CreateFileA.KERNEL32 ref: 00007FF73F98557E

Strings

*MEMCAB, xrefs: 00007FF73F9853FD

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: CreateFile$lstrcmp
String ID: *MEMCAB
API String ID: 1301100335-3211172518
Opcode ID: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
Instruction ID: d7c4b9f16c15edef6140c6e79e598efedb2e78ede11084de51d2918d0c5eb6cf
Opcode Fuzzy Hash: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
Instruction Fuzzy Hash: B561C7E69087C196F7689B14A4807B9BA91EB45BF4F844335CA6E837CCCF3DE4099720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9858B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32 ref: 00007FF73F98598F
LocalFileTimeToFileTime.KERNEL32 ref: 00007FF73F9859AD
SetFileTime.KERNELBASE ref: 00007FF73F9859D5
SetFileAttributesA.KERNELBASE ref: 00007FF73F985A0B
SetWindowTextA.USER32 ref: 00007FF73F985A3E

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF73F98593B, 00007FF73F985A5A

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: FileTime$AttributesDateLocalTextWindow
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1150793416-305352358
Opcode ID: 8ba837678c1f67d615ec5eef46cb77bfad3a32e48b5654526580d0bdf889563c
Instruction ID: 2263657c17f95d60c14391ee61a0f8cab63d85e8f24bbf08134f16bcfe9b3122
Opcode Fuzzy Hash: 8ba837678c1f67d615ec5eef46cb77bfad3a32e48b5654526580d0bdf889563c
Instruction Fuzzy Hash: 445174B2A186C2A1EB6CAB11D4501F9A790FF48BE0FC45136DA4EC329DCE3CE549D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F984C68 Relevance: 10.6, APIs: 7, Instructions: 100COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00007FF73F984C9B
GetWindowRect.USER32 ref: 00007FF73F984CBC
GetDC.USER32 ref: 00007FF73F984CD9
GetDeviceCaps.GDI32 ref: 00007FF73F984CF0
GetDeviceCaps.GDI32 ref: 00007FF73F984D07
ReleaseDC.USER32 ref: 00007FF73F984D20
SetWindowPos.USER32 ref: 00007FF73F984D92

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 0d796e944f2108898d7f7223ae91cc33082503468592f481f03ae45c8c0a45dc
Instruction ID: ef443fbee32df4ef321b96db122788061572667ac01e280c356e59d1540c1a2f
Opcode Fuzzy Hash: 0d796e944f2108898d7f7223ae91cc33082503468592f481f03ae45c8c0a45dc
Instruction Fuzzy Hash: AB319F72B146919AE7149B75E8049FDBBA0F789B99F885130CE0A93B0CCF3CE449CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F986B70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF73F986BA0

Strings

TMP4351$.TMP, xrefs: 00007FF73F986C03

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: AllocLocal
String ID: TMP4351$.TMP
API String ID: 3494564517-2619824408
Opcode ID: d5ace99f2663905ba72166a92556dafad1272f0db083ef97e46a8f7b12bd3ef1
Instruction ID: 151e915d70f1caa386fa80a5f3ecd5813b8748a7e2e08acef77ddec9ae5d31bc
Opcode Fuzzy Hash: d5ace99f2663905ba72166a92556dafad1272f0db083ef97e46a8f7b12bd3ef1
Instruction Fuzzy Hash: 7D3161B1A0868596F7186B25A4103FAF690EB85BF4F845334DA6A867DDCF3CE4059710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F983F74 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F985078
Part of subcall function 00007FF73F985050: SizeofResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F985089
Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F9850AF
Part of subcall function 00007FF73F985050: LoadResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850C0
Part of subcall function 00007FF73F985050: LockResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850CF
Part of subcall function 00007FF73F985050: memcpy_s.MSVCRT ref: 00007FF73F9850EE
Part of subcall function 00007FF73F985050: FreeResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850FD

LocalAlloc.KERNEL32(?,?,?,?,?,00007FF73F983139), ref: 00007FF73F983F95
LocalFree.KERNEL32 ref: 00007FF73F984018

Part of subcall function 00007FF73F984DCC: LoadStringA.USER32 ref: 00007FF73F984E60
Part of subcall function 00007FF73F984DCC: MessageBoxA.USER32 ref: 00007FF73F984EA0

Part of subcall function 00007FF73F987700: GetLastError.KERNEL32 ref: 00007FF73F987704

lstrcmpA.KERNEL32(?,?,?,?,?,00007FF73F983139), ref: 00007FF73F98403E
LocalFree.KERNEL32(?,?,?,?,?,00007FF73F983139), ref: 00007FF73F98409F

Part of subcall function 00007FF73F987AC8: FindResourceA.KERNEL32 ref: 00007FF73F987AF2
Part of subcall function 00007FF73F987AC8: LoadResource.KERNEL32 ref: 00007FF73F987B09
Part of subcall function 00007FF73F987AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF73F987B3F
Part of subcall function 00007FF73F987AC8: FreeResource.KERNEL32 ref: 00007FF73F987B51

LocalFree.KERNEL32 ref: 00007FF73F984078

Strings

LICENSE, xrefs: 00007FF73F983F7D, 00007FF73F983FE0
<None>, xrefs: 00007FF73F984037

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 2a56340b2f00b815a7c44a1288c62c107f96cf42b55428e5d812d1c0fdd60103
Instruction ID: c5b05eba00aff50ac119b31a52f2b4324ef3602267443ad3feef6b5130092a67
Opcode Fuzzy Hash: 2a56340b2f00b815a7c44a1288c62c107f96cf42b55428e5d812d1c0fdd60103
Instruction Fuzzy Hash: 823141B2A19682A6F718BF20E411BF6B660FF847C5FD04136D90E8665CDF7DE004AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F985050 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF73F985078
SizeofResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F985089
FindResourceA.KERNEL32 ref: 00007FF73F9850AF
LoadResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850C0
LockResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850CF
memcpy_s.MSVCRT ref: 00007FF73F9850EE
FreeResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850FD

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID:
API String ID: 3370778649-0
Opcode ID: 3bf69dff85db5cdf34237252cc992bc602bd2b6bf5befdefafbb4c61634c3979
Instruction ID: 393225f8414f2698db82feba010f28aa4201781b7f50f72d01a5333c1c671528
Opcode Fuzzy Hash: 3bf69dff85db5cdf34237252cc992bc602bd2b6bf5befdefafbb4c61634c3979
Instruction Fuzzy Hash: 83111AA1708B8197EB186B62A4440B9FAA1EB4EFD1B899138DD0F8375CDF3CD4459610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F985690 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73F983B40: MsgWaitForMultipleObjects.USER32 ref: 00007FF73F983B64
Part of subcall function 00007FF73F983B40: PeekMessageA.USER32 ref: 00007FF73F983B89
Part of subcall function 00007FF73F983B40: PeekMessageA.USER32 ref: 00007FF73F983BCD

WriteFile.KERNELBASE ref: 00007FF73F9856E4

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: MessagePeek$FileMultipleObjectsWaitWrite
String ID:
API String ID: 1084409-0
Opcode ID: 98c152f8f55bf9a598385b6332d329f7c6a89d95a4b0cf9b0f7515c751b46731
Instruction ID: 5b809678492a2969ed23bdf340aca398d9f80ce9eddb284467c9b3cf5a2a2152
Opcode Fuzzy Hash: 98c152f8f55bf9a598385b6332d329f7c6a89d95a4b0cf9b0f7515c751b46731
Instruction Fuzzy Hash: 842192A1A085C296E718AF15E8447B5F7A0FB85BE4F948235D96D876ACCF3CD408DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9851BC Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE ref: 00007FF73F9851C9
SetFileAttributesA.KERNEL32 ref: 00007FF73F98524E

Part of subcall function 00007FF73F987AC8: FindResourceA.KERNEL32 ref: 00007FF73F987AF2
Part of subcall function 00007FF73F987AC8: LoadResource.KERNEL32 ref: 00007FF73F987B09
Part of subcall function 00007FF73F987AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF73F987B3F
Part of subcall function 00007FF73F987AC8: FreeResource.KERNEL32 ref: 00007FF73F987B51

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 2018477427-0
Opcode ID: 2994afcc96e4644f858f991349daac6ec3ef4dc9132b2516fbef1fb9fafb314f
Instruction ID: 157abcc2bfe91ef04523f219e2c75c935609deaf425cb457aa764c9c6af72d91
Opcode Fuzzy Hash: 2994afcc96e4644f858f991349daac6ec3ef4dc9132b2516fbef1fb9fafb314f
Instruction Fuzzy Hash: 7A119AB1D0C6C2A2F7586B10A9843F5E690EB457E8FD84231C94D866ACCF7DE888A310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F987BA8 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CharPrevA.USER32 ref: 00007FF73F987BEF

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
Instruction ID: 32cd3d1911ebcecc640861a173a5fc3031e044f7acc749032053ba5d349cd9b1
Opcode Fuzzy Hash: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
Instruction Fuzzy Hash: 8A0145A1A0C7D196F3056F11EC403ADFA90A742BE0F989230DB6A8B7CDCB2CD4829711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F985770 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FF73F9857A9

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
Instruction ID: 7779c7f249949af8b49103b7b6af29dabc8c5e36bb628797c0ad0de7bc2ffc37
Opcode Fuzzy Hash: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
Instruction Fuzzy Hash: 81F036716087C1E2EB1C5F25F5811F8B660EB48BA8F548239DA2B876DCCF78D485D720

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF73F983530 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 174windowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 00007FF73F9835AA
EndDialog.USER32 ref: 00007FF73F98374E
GetDesktopWindow.USER32 ref: 00007FF73F98377E
SetWindowTextA.USER32 ref: 00007FF73F98379F
SendDlgItemMessageA.USER32 ref: 00007FF73F9837C3
GetDlgItem.USER32 ref: 00007FF73F9837E0
EnableWindow.USER32 ref: 00007FF73F9837F1
EndDialog.USER32 ref: 00007FF73F983804

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF73F983635
, xrefs: 00007FF73F9836B6
Open, xrefs: 00007FF73F983795

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
String ID: $C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Open
API String ID: 3530494346-1069084353
Opcode ID: 02408ae6c79d5afd0dbd1d350f378b5c084b7eca4ab1b8cbcc717c39842157fc
Instruction ID: c9ec2fa29289e9d7957a860430be31982191ad7d3848c55b4d5f46259de01268
Opcode Fuzzy Hash: 02408ae6c79d5afd0dbd1d350f378b5c084b7eca4ab1b8cbcc717c39842157fc
Instruction Fuzzy Hash: 4171AAE1E0C6C2A6F758AB25A400BF9E691FB89BD0FD44130CA4E8678DCF3CD405A720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9811CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF73F981209
GetProcAddress.KERNEL32 ref: 00007FF73F98122B
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF73F981278
FreeSid.ADVAPI32 ref: 00007FF73F9812A0
FreeLibrary.KERNEL32 ref: 00007FF73F9812AF

Strings

CheckTokenMembership, xrefs: 00007FF73F981221
advapi32.dll, xrefs: 00007FF73F9811FC

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
Instruction ID: 6ac338f50f1c64e549088c3eabb829b480a4c3439933bca6c7d3ff528e987169
Opcode Fuzzy Hash: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
Instruction Fuzzy Hash: F4314C76608B859AE7149F16F4441E9FBA4FB89B90F855139DE4E83718DF3CE045CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F981C0C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF73F982D7F), ref: 00007FF73F981C21
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF73F982D7F), ref: 00007FF73F981C3A
LookupPrivilegeValueA.ADVAPI32 ref: 00007FF73F981C7B
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF73F981CB2
CloseHandle.KERNEL32 ref: 00007FF73F981CC5
ExitWindowsEx.USER32 ref: 00007FF73F981CF1

Strings

SeShutdownPrivilege, xrefs: 00007FF73F981C74

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 2829607268-3733053543
Opcode ID: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
Instruction ID: 61691ff67b53f6b6b6824d950d40f2037f2242e982c2784e695584757ee7dee8
Opcode Fuzzy Hash: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
Instruction Fuzzy Hash: 232181B2A18682D7E7149B20E0557FAFBA0FB89B85F909135DA4E86A5CDF3CD044DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F988964 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF73F988994
GetCurrentProcessId.KERNEL32 ref: 00007FF73F9889A2
GetCurrentThreadId.KERNEL32 ref: 00007FF73F9889AE
GetTickCount.KERNEL32 ref: 00007FF73F9889BA
GetTickCount.KERNEL32 ref: 00007FF73F9889CA
QueryPerformanceCounter.KERNEL32 ref: 00007FF73F9889E5

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
Instruction ID: a9a5cd82de3057de857af6afc4bd320117616fa5751e05a2fb428f3b8a6621be
Opcode Fuzzy Hash: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
Instruction Fuzzy Hash: C4115166605B819AEB04EF71E8442A873E4FB49B98F800A30EA6D8779CDF7CD164D350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F988790 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF73F98879B

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
Instruction ID: df7192366d4fe4ad7a2bf2e8a240a9dc24878d89d8f88444a729855a3c4fe097
Opcode Fuzzy Hash: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
Instruction Fuzzy Hash: 23B09250E65482E1D708BB719C850A053A0BB98744FC00870C00EC1128DE1C919AE720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9870A8 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 446COMMON

Download Yara Rule

APIs

CharNextA.USER32 ref: 00007FF73F987120
GetModuleFileNameA.KERNEL32 ref: 00007FF73F9871FB
CharUpperA.USER32 ref: 00007FF73F98723E
CharUpperA.USER32 ref: 00007FF73F9872D4
CompareStringA.KERNEL32 ref: 00007FF73F987368
CharUpperA.USER32 ref: 00007FF73F9873A3
CharUpperA.USER32 ref: 00007FF73F9873FF
CharUpperA.USER32 ref: 00007FF73F987498
CloseHandle.KERNEL32 ref: 00007FF73F98769E
ExitProcess.KERNEL32 ref: 00007FF73F9876AC

Strings

:, xrefs: 00007FF73F987443
RegServer, xrefs: 00007FF73F987359
", xrefs: 00007FF73F987187
@, xrefs: 00007FF73F98767E

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$:$@$RegServer
API String ID: 1203814774-4077547207
Opcode ID: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
Instruction ID: e598f9d287d500b22d0fc742d41ff46b464228120673b8bdda0ad641614331aa
Opcode Fuzzy Hash: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
Instruction Fuzzy Hash: 1502E4D1E0C6D261FB6DAB2468006F9EBA1AF427C0FD80135C95E8669DCE3DE405E732

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F984A60 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73F9835E3), ref: 00007FF73F984A86
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73F9835E3), ref: 00007FF73F984AAA
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73F9835E3), ref: 00007FF73F984ACA
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73F9835E3), ref: 00007FF73F984AEC
GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73F9835E3), ref: 00007FF73F984B1B
CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73F9835E3), ref: 00007FF73F984B3A
CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73F9835E3), ref: 00007FF73F984B54
FreeLibrary.KERNEL32 ref: 00007FF73F984BF1
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF73F9835E3), ref: 00007FF73F984C0D

Strings

SHBrowseForFolder, xrefs: 00007FF73F984AA0
SHGetPathFromIDList, xrefs: 00007FF73F984AE2
SHELL32.DLL, xrefs: 00007FF73F984A7F

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
Instruction ID: c839220f29701e0997964c20abcabbd31a91dd0f8ba94c8c73fa2e7c860bf6fe
Opcode Fuzzy Hash: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
Instruction Fuzzy Hash: 8E516DA1A09BC2A6E748AB05B8505F9BA94FF49BD0F844135DE4E8775CDF3CE444E710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F984DCC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159memorywindowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32 ref: 00007FF73F984E60
LocalAlloc.KERNEL32 ref: 00007FF73F984F61
LocalAlloc.KERNEL32 ref: 00007FF73F984F99
MessageBoxA.USER32 ref: 00007FF73F984EA0

Part of subcall function 00007FF73F987E34: EnumResourceLanguagesA.KERNEL32 ref: 00007FF73F987E8C
Part of subcall function 00007FF73F987E34: EnumResourceLanguagesA.KERNEL32 ref: 00007FF73F987ECA

LocalAlloc.KERNEL32 ref: 00007FF73F984EFC
MessageBeep.USER32 ref: 00007FF73F984FC2
MessageBoxA.USER32 ref: 00007FF73F985007
LocalFree.KERNEL32 ref: 00007FF73F985018

Part of subcall function 00007FF73F987F04: GetVersionExA.KERNEL32 ref: 00007FF73F987F59
Part of subcall function 00007FF73F987F04: GetSystemMetrics.USER32 ref: 00007FF73F987F93
Part of subcall function 00007FF73F987F04: RegOpenKeyExA.ADVAPI32 ref: 00007FF73F987FC8
Part of subcall function 00007FF73F987F04: RegQueryValueExA.ADVAPI32 ref: 00007FF73F988003
Part of subcall function 00007FF73F987F04: RegCloseKey.ADVAPI32 ref: 00007FF73F988016
Part of subcall function 00007FF73F987F04: CharNextA.USER32 ref: 00007FF73F988065

Strings

Open, xrefs: 00007FF73F984E91, 00007FF73F984FF3
rce., xrefs: 00007FF73F984DF7

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
String ID: Open$rce.
API String ID: 2929476258-3686285831
Opcode ID: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
Instruction ID: 4d9ce528dfdd231028dc418fc4fb2e0473dd72376d8d8841c44973fb0f63a6de
Opcode Fuzzy Hash: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
Instruction Fuzzy Hash: 9161F5A1E087C1A6FB19AB25A8007F4EA90AF59BE4F844234DE4D8379DDF3CE445D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F98261C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129registryCOMMON

Download Yara Rule

APIs

CharUpperA.USER32 ref: 00007FF73F982662
CharNextA.USER32 ref: 00007FF73F982674
CharNextA.USER32 ref: 00007FF73F982683
RegOpenKeyExA.ADVAPI32 ref: 00007FF73F982724
RegQueryValueExA.ADVAPI32 ref: 00007FF73F98275B
ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF73F982782
RegCloseKey.ADVAPI32 ref: 00007FF73F9827B9
GetWindowsDirectoryA.KERNEL32 ref: 00007FF73F9827CF
GetSystemDirectoryA.KERNEL32 ref: 00007FF73F9827E5

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00007FF73F9826A6

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 2659952014-2428544900
Opcode ID: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
Instruction ID: 950e25093d6f9cd885b332f5c6f9c52e153792bb380f16f08fc0d8067b05de3d
Opcode Fuzzy Hash: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
Instruction Fuzzy Hash: B25183B66086C1A6EB14AB11E8502F9FBA4FB8ABD0F945031DA4E8775CDF3CD445D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9833F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF73F983430
GetDesktopWindow.USER32 ref: 00007FF73F983441
SetDlgItemTextA.USER32 ref: 00007FF73F983467
SetWindowTextA.USER32 ref: 00007FF73F98347D
SetForegroundWindow.USER32 ref: 00007FF73F98348C
GetDlgItem.USER32 ref: 00007FF73F9834A0
GetWindowLongPtrA.USER32 ref: 00007FF73F9834B7
SetWindowLongPtrA.USER32 ref: 00007FF73F9834D9
SendDlgItemMessageA.USER32 ref: 00007FF73F98350A

Strings

Open, xrefs: 00007FF73F983473

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: Open
API String ID: 3785188418-71445658
Opcode ID: 5437c451f9b0f03a7d5304c51dea48bd08e1932c988bfe6d4e908a474b1ba20e
Instruction ID: 794f15516735f52deed2cb00bc47bb1dcf7d383ea189d91b50901c677b1a667b
Opcode Fuzzy Hash: 5437c451f9b0f03a7d5304c51dea48bd08e1932c988bfe6d4e908a474b1ba20e
Instruction Fuzzy Hash: 0B3121B59086C296E7186B25E8046F4FB91FB8EBA1FD49230C91E8779CDF3DA045E610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9812EC Relevance: 16.6, APIs: 11, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73F9811CC: LoadLibraryA.KERNEL32 ref: 00007FF73F981209
Part of subcall function 00007FF73F9811CC: GetProcAddress.KERNEL32 ref: 00007FF73F98122B
Part of subcall function 00007FF73F9811CC: AllocateAndInitializeSid.ADVAPI32 ref: 00007FF73F981278
Part of subcall function 00007FF73F9811CC: FreeSid.ADVAPI32 ref: 00007FF73F9812A0
Part of subcall function 00007FF73F9811CC: FreeLibrary.KERNEL32 ref: 00007FF73F9812AF

GetCurrentProcess.KERNEL32 ref: 00007FF73F98134D
OpenProcessToken.ADVAPI32 ref: 00007FF73F981363
GetTokenInformation.ADVAPI32 ref: 00007FF73F98138C
GetLastError.KERNEL32 ref: 00007FF73F9813A0
LocalAlloc.KERNEL32 ref: 00007FF73F9813BA
GetTokenInformation.ADVAPI32 ref: 00007FF73F9813E8
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF73F981435
EqualSid.ADVAPI32 ref: 00007FF73F981460
FreeSid.ADVAPI32 ref: 00007FF73F981485
LocalFree.KERNEL32 ref: 00007FF73F981494
CloseHandle.KERNEL32 ref: 00007FF73F9814A4

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
Instruction ID: d15654999a90092b9cf6d461b3c66b43d81842eddbf0afe59e53a8c2d28fabe9
Opcode Fuzzy Hash: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
Instruction Fuzzy Hash: 79515D72604A81EAE724AF21E4806F9BBA4FB8DBD8F815135DA0E9375CDF38D444DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F987F04 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF73F987F59
GetSystemMetrics.USER32 ref: 00007FF73F987F93
RegOpenKeyExA.ADVAPI32 ref: 00007FF73F987FC8
RegQueryValueExA.ADVAPI32 ref: 00007FF73F988003
RegCloseKey.ADVAPI32 ref: 00007FF73F988016
CharNextA.USER32 ref: 00007FF73F988065

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00007FF73F987FBA

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
Instruction ID: 867fdee6bff52ac3a0ef66b130a2eb0cd269f2ff6569f255138e267ad6b22518
Opcode Fuzzy Hash: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
Instruction Fuzzy Hash: 9C5192B2A08AC1AAE7149F20D8401F9F7A5FB88B90F854571DA5E8379CDF3CE544DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F982834 Relevance: 12.2, APIs: 8, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32 ref: 00007FF73F982A44

Part of subcall function 00007FF73F98261C: CharUpperA.USER32 ref: 00007FF73F982662
Part of subcall function 00007FF73F98261C: CharNextA.USER32 ref: 00007FF73F982674
Part of subcall function 00007FF73F98261C: CharNextA.USER32 ref: 00007FF73F982683
Part of subcall function 00007FF73F98261C: RegOpenKeyExA.ADVAPI32 ref: 00007FF73F982724
Part of subcall function 00007FF73F98261C: RegQueryValueExA.ADVAPI32 ref: 00007FF73F98275B
Part of subcall function 00007FF73F98261C: ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF73F982782
Part of subcall function 00007FF73F98261C: RegCloseKey.ADVAPI32 ref: 00007FF73F9827B9

GetFileVersionInfoSizeA.VERSION ref: 00007FF73F9828AC
GlobalAlloc.KERNEL32 ref: 00007FF73F9828C9
GlobalLock.KERNEL32 ref: 00007FF73F9828E4
GetFileVersionInfoA.VERSION ref: 00007FF73F98290C
VerQueryValueA.VERSION ref: 00007FF73F982932
GlobalUnlock.KERNEL32 ref: 00007FF73F9829DC
GlobalUnlock.KERNEL32 ref: 00007FF73F9829F0

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
String ID:
API String ID: 1051330783-0
Opcode ID: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
Instruction ID: 659d9af7ec13012c088a6f1505448cb022a77aa70beb4b95657ff430ffe3d58b
Opcode Fuzzy Hash: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
Instruction Fuzzy Hash: B75183B2A046C2AAEB589F15D5005F8B7A4FB48BD4F945131CE0DAB79CDF39E441D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F982A6C Relevance: 12.1, APIs: 8, Instructions: 126COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF73F982AB2
IsDBCSLeadByte.KERNEL32 ref: 00007FF73F982ACE
CharNextA.USER32 ref: 00007FF73F982AF4
CharUpperA.USER32 ref: 00007FF73F982B07
CharPrevA.USER32 ref: 00007FF73F982B43
CharUpperA.USER32 ref: 00007FF73F982B9F
CharNextA.USER32 ref: 00007FF73F982BF9
CharNextA.USER32 ref: 00007FF73F982C0B

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
String ID:
API String ID: 975904313-0
Opcode ID: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
Instruction ID: 8837b6cbed3e76073e46ba955aa0c4b4c1a8c6cc1c773025d7aba573a5fb6dbf
Opcode Fuzzy Hash: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
Instruction Fuzzy Hash: 105193A1A0D6C665FB656F25E4003F9EB91EB4ABD0F888171CE8E4B78DCE3CD4459720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F98772C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73F98114C: _vsnprintf.MSVCRT ref: 00007FF73F981189

LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF73F98606F), ref: 00007FF73F987763
LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF73F98606F), ref: 00007FF73F987772
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF73F98606F), ref: 00007FF73F9877B8
FindResourceA.KERNEL32 ref: 00007FF73F9877EC
FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF73F98606F), ref: 00007FF73F987805

Strings

UPDFILE%lu, xrefs: 00007FF73F9877C9

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
Instruction ID: d68e3510cffdd7f27d59f36e0a61bf0bba40885b70ad5afee91b8fc1af122fd3
Opcode Fuzzy Hash: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
Instruction Fuzzy Hash: 0A319572A08681D6E718AB21A8001F9FBA1FB89FD0F958235DA5E8779CCF3CD044D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F982244 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32 ref: 00007FF73F982271
WritePrivateProfileStringA.KERNEL32 ref: 00007FF73F9822A0
_lopen.KERNEL32 ref: 00007FF73F9822B4
_llseek.KERNEL32 ref: 00007FF73F9822CF
_lclose.KERNEL32 ref: 00007FF73F9822DF

Strings

wininit.ini, xrefs: 00007FF73F982281

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
Instruction ID: a5fb8fe1c5988f94869e6ec2796609f8960439a9945c5c306084202eb6251aec
Opcode Fuzzy Hash: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
Instruction Fuzzy Hash: 95116D72608A8197E728AB21E8442E9B7A1FBCDB94FC58131DA4E8765CDF3CD509DA10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F983840 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00007FF73F98388E
SetWindowTextA.USER32 ref: 00007FF73F9838AF
SetDlgItemTextA.USER32 ref: 00007FF73F9838CA
SetForegroundWindow.USER32 ref: 00007FF73F9838D9
EndDialog.USER32 ref: 00007FF73F9838EC

Strings

Open, xrefs: 00007FF73F9838A5

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Window$Text$DesktopDialogForegroundItem
String ID: Open
API String ID: 761066910-71445658
Opcode ID: db38f3c764be4f10092f313c704ee52b3d278942d11ca53377af995edae986b7
Instruction ID: 04f7f9d470eaa4566315dfdaa3db28c6d28427a4de89a1486874d003a9a5002d
Opcode Fuzzy Hash: db38f3c764be4f10092f313c704ee52b3d278942d11ca53377af995edae986b7
Instruction Fuzzy Hash: 041121E1D086C2A6F75C3B55E4086F8EA51EB4EBC1FC49131CC0E8639CDE3EA444E620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F98494C Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F985078
Part of subcall function 00007FF73F985050: SizeofResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F985089
Part of subcall function 00007FF73F985050: FindResourceA.KERNEL32 ref: 00007FF73F9850AF
Part of subcall function 00007FF73F985050: LoadResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850C0
Part of subcall function 00007FF73F985050: LockResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850CF
Part of subcall function 00007FF73F985050: memcpy_s.MSVCRT ref: 00007FF73F9850EE
Part of subcall function 00007FF73F985050: FreeResource.KERNEL32(?,?,00000000,00007FF73F982E43), ref: 00007FF73F9850FD

LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF73F983388), ref: 00007FF73F984975
LocalFree.KERNEL32(?,?,?,?,00000000,00007FF73F983388), ref: 00007FF73F984A11

Part of subcall function 00007FF73F984DCC: LoadStringA.USER32 ref: 00007FF73F984E60
Part of subcall function 00007FF73F984DCC: MessageBoxA.USER32 ref: 00007FF73F984EA0

Strings

@, xrefs: 00007FF73F9849F7
FINISHMSG, xrefs: 00007FF73F984959, 00007FF73F9849AC
<None>, xrefs: 00007FF73F9849D5

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$@$FINISHMSG
API String ID: 3507850446-4126004490
Opcode ID: 084f567f2751bbb327c7852ecae896f84c80c38795d5f8c59f35c596520349e1
Instruction ID: 38d25ba36f33a879f56de22b055eacb4fbdbd8973ef47b60c81a3901123693a8
Opcode Fuzzy Hash: 084f567f2751bbb327c7852ecae896f84c80c38795d5f8c59f35c596520349e1
Instruction Fuzzy Hash: D51195B2A08282D7F728AB24E410BFAF690EF85BD4F945135DA4E8678CDF3DD0049B14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9879F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF73F987A68
LoadLibraryExA.KERNEL32 ref: 00007FF73F987A88
LoadLibraryA.KERNEL32 ref: 00007FF73F987A9D

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF73F987A0E
advpack.dll, xrefs: 00007FF73F987A4B, 00007FF73F987A96

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-3680919256
Opcode ID: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
Instruction ID: 3a4ceacd9e00b078a1ec1bc22a19a980e87f0947482e653791f7e128ad5f350e
Opcode Fuzzy Hash: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
Instruction Fuzzy Hash: 631181B1A196C6A5EF65AB10E8403F9B7A0FB89B84FC40271C55D8269DCF3DD609D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F981500 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF73F981545
GetDesktopWindow.USER32 ref: 00007FF73F981557
LoadStringA.USER32 ref: 00007FF73F981587
SetDlgItemTextA.USER32 ref: 00007FF73F9815A0
MessageBeep.USER32 ref: 00007FF73F9815AF

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: d24c32f5bf32a5b72a732329d1a2a01ce98f5d85b6cb7ead8bb70bc12569425c
Instruction ID: bfef6f5268bc78a4004d43481eb9b84e52e50fd313b8cfb7e06791ba7c361046
Opcode Fuzzy Hash: d24c32f5bf32a5b72a732329d1a2a01ce98f5d85b6cb7ead8bb70bc12569425c
Instruction Fuzzy Hash: 18115EA1A08AC596EA546B64A4043F9F7A0FB89BD4F844231CA5E8679DCF3DD0859610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F983BF4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236windowCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00007FF73F983C3F
MessageBeep.USER32 ref: 00007FF73F983EB9

Part of subcall function 00007FF73F987F04: GetVersionExA.KERNEL32 ref: 00007FF73F987F59
Part of subcall function 00007FF73F987F04: GetSystemMetrics.USER32 ref: 00007FF73F987F93
Part of subcall function 00007FF73F987F04: RegOpenKeyExA.ADVAPI32 ref: 00007FF73F987FC8
Part of subcall function 00007FF73F987F04: RegQueryValueExA.ADVAPI32 ref: 00007FF73F988003
Part of subcall function 00007FF73F987F04: RegCloseKey.ADVAPI32 ref: 00007FF73F988016
Part of subcall function 00007FF73F987F04: CharNextA.USER32 ref: 00007FF73F988065

MessageBoxA.USER32 ref: 00007FF73F983EF3

Part of subcall function 00007FF73F987E34: EnumResourceLanguagesA.KERNEL32 ref: 00007FF73F987E8C
Part of subcall function 00007FF73F987E34: EnumResourceLanguagesA.KERNEL32 ref: 00007FF73F987ECA

Strings

Open, xrefs: 00007FF73F983EE4, 00007FF73F983F24

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: EnumLanguagesMessageResourceVersion$BeepCharCloseMetricsNextOpenQuerySystemValue
String ID: Open
API String ID: 2312377310-71445658
Opcode ID: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
Instruction ID: d5c81357cc663176dd84758a5a488640940e8ac2f35c8d9ceaa18cb390239018
Opcode Fuzzy Hash: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
Instruction Fuzzy Hash: 9EA1B8B2A191C2A6F769AF119444AF9F6A4FF487D0F910035E90EC328DDE3DE845E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F9878B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF73F98795B
WriteFile.KERNEL32 ref: 00007FF73F987992
CloseHandle.KERNEL32 ref: 00007FF73F9879B7

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00007FF73F9878E2

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1065093856-305352358
Opcode ID: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
Instruction ID: db2561674424e458129f0bf40b85009f32e81bc32a0153a71dd805622c944462
Opcode Fuzzy Hash: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
Instruction Fuzzy Hash: 313170B26086C196EB149F10E8407E9E760FB89BA4F844235DA9D8769CCF7DD408DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F985C60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

#20.CABINET ref: 00007FF73F985CD9
#21.CABINET ref: 00007FF73F985D18
#23.CABINET ref: 00007FF73F985D52

Strings

*MEMCAB, xrefs: 00007FF73F985CF2

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID:
String ID: *MEMCAB
API String ID: 0-3211172518
Opcode ID: 84e3e731c747766a29489c21773a7ead2eab1f416db6fdf01ae2d5964e993175
Instruction ID: d4932c9900afaba67b37f87ecc324bcb8358e8886c32bc557910d124713caf66
Opcode Fuzzy Hash: 84e3e731c747766a29489c21773a7ead2eab1f416db6fdf01ae2d5964e993175
Instruction Fuzzy Hash: 25311BA1A08B81A5EB58AB11E4442E9B7E1BB44BE0FC44236D95E8269CDF3CD449D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F988470 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF73F9884E3
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF73F988502
RtlVirtualUnwind.KERNEL32 ref: 00007FF73F98854F
__raise_securityfailure.LIBCMT ref: 00007FF73F988634

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
Instruction ID: f46a841bbc655581247d2d992aea7dcf93e09bbda44119112e6c381e908b22b3
Opcode Fuzzy Hash: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
Instruction Fuzzy Hash: BE41A9B5A08B8191EB58AB58F8903A5B3A4FB847D4F904136D98DC37ACDF3CE445E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F987C40 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,00000000,00007FF73F982B25), ref: 00007FF73F987C64
CharPrevA.USER32(?,?,00000000,00007FF73F982B25), ref: 00007FF73F987C80
CharPrevA.USER32(?,?,00000000,00007FF73F982B25), ref: 00007FF73F987CA4
CharNextA.USER32(?,?,00000000,00007FF73F982B25), ref: 00007FF73F987CB8

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
Instruction ID: ac3f1a6c26e1e609b1a7a0201d0f53ae28f6aad8b0bd03a3c49f787df48b599b
Opcode Fuzzy Hash: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
Instruction Fuzzy Hash: 7811A7A2A086D1A5FB595B11E9002B9EB91E74AFE0F898230DE5F4378CCF2CD4409711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F988648 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF73F988653
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF73F988672
RtlVirtualUnwind.KERNEL32 ref: 00007FF73F9886BF
__raise_securityfailure.LIBCMT ref: 00007FF73F988735

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
Instruction ID: 3715a3f76014c4f7073f3d66bd94d4353e8f5a3415287cd7e5974f7eedaa33c7
Opcode Fuzzy Hash: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
Instruction Fuzzy Hash: C421E7B5918B81A1E718AB54F8803E5B3A4FB84B94F900036DA8D83B6CDF7DE045E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73F983B40 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32 ref: 00007FF73F983B64
PeekMessageA.USER32 ref: 00007FF73F983B89
DispatchMessageA.USER32 ref: 00007FF73F983BAC
PeekMessageA.USER32 ref: 00007FF73F983BCD

Memory Dump Source

Source File: 00000000.00000002.1681830263.00007FF73F981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF73F980000, based on PE: true

Associated: 00000000.00000002.1681806953.00007FF73F980000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681844662.00007FF73F989000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681857937.00007FF73F98C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1681872071.00007FF73F98E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff73f980000_Open.jbxd

Similarity

API ID: Message$Peek$DispatchMultipleObjectsWait
String ID:
API String ID: 2776232527-0
Opcode ID: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
Instruction ID: 96142e1c1b4b67529d0f369acfe471c81681c100b665b3b45f11c6a5f1da2543
Opcode Fuzzy Hash: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
Instruction Fuzzy Hash: F2117EB26185C197E7645F20E444FB5FA90FB99785FC09130DA4E8298CDF3DD044DB10

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Open.EXE

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\IXP000.TMP\Open.cmd

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Open.EXEPID: 6792, Parent PID: 2580

General

Chronological Activities

Windows Analysis Report
Open.EXE

Function 00007FF73F9840C4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 371
libraryloaderCOMMON

Function 00007FF73F981D28 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 183
registrylibrarymemoryCOMMON

Function 00007FF73F981684 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 350
memoryCOMMON

Function 00007FF73F9866C4 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299
memorystringCOMMON

Function 00007FF73F982DB4 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 179
synchronizationCOMMON

Function 00007FF73F986CA4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215
windowCOMMON

Function 00007FF73F985D90 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124
windowCOMMON

Function 00007FF73F9830EC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151
libraryfileloaderCOMMON

Function 00007FF73F9864E4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 123
COMMON

Function 00007FF73F982C54 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84
libraryloadershutdownCOMMON

Function 00007FF73F983910 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 119
threadwindowCOMMON

Function 00007FF73F9861EC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97
registryfileCOMMON

Function 00007FF73F98473C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115
processsynchronizationwindowCOMMON

Function 00007FF73F982318 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75
registryCOMMON

Function 00007FF73F9863B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 71
fileCOMMON