Edit tour

Windows Analysis Report
Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Overview

General Information

Sample name:	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Analysis ID:	1544696
MD5:	51ef7e32d7120c644fabee284af7501a
SHA1:	a20a8860ce64896c98754d14e7c1d5c9e9649a25
SHA256:	f8ee0959e12e3a3537cc2f7290f06b4a18303543c6988df99599bb0cf80732a3
Infos:

Detection

Score:	18
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to query locales information (e.g. system language)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE (PID: 6960 cmdline: "C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE" MD5: 51EF7E32D7120C644FABEE284AF7501A)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Static PE information: certificate valid

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\_GitRepos\libraries\zlib\src\contrib\vstudio\vc17\x86\MiniUnzipRelease\miniunz.pdb source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source:	Binary string: C:\_GitRepos\IC\libraries\zlib\src\contrib\vstudio\vc17\ARM64\Release\miniunz.pdb source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source:	Binary string: C:\_GitRepos\libraries\zlib\src\contrib\vstudio\vc17\x86\ZlibDllRelease\zlibwapi.pdb source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source:	Binary string: C:\_GitRepos\libraries\zlib\src\contrib\vstudio\vc17\arm64\ZlibDllRelease\zlibwapi.pdb source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source:	Binary string: C:\_GitRepos\libraries\zlib\src\contrib\vstudio\vc17\x64\ZlibDllRelease\zlibwapi.pdb source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source:	Binary string: C:\_ThirdPartyLibraries\zlib-1.2.13\contrib\vstudio\vc17_Fromvc14\x64\MiniUnzipRelease\miniunz.pdb source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Code function: 0_2_0089D3E0 FindFirstFileW,		0_2_0089D3E0
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Code function: 0_2_008C7FC0 FindFirstFileW,FindNextFileW,FindClose,		0_2_008C7FC0

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://aia.entrust.net/evcs2-chain.p7c01
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://aia.entrust.net/ts2-chain256.p7c01
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://crl.entrust.net/csbr1.crl0
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://crl.entrust.net/evcs2.crl0
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://crl.entrust.net/g2ca.crl0
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://crl.entrust.net/ts2ca.crl0
Source: DellPair-Setup-x64.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://ocsp.entrust.net00
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://ocsp.entrust.net01
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://ocsp.entrust.net02
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://ocsp.entrust.net03
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: mup.xml	String found in binary or memory: http://schemas.dell.com/openmanage/cm/2/0/mupdefinition.xsd
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://schemas.dell.com/openmanage/cm/2009/1/0/mupdefinition.xsd
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000002.2937854735.0000000001839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.dell.com/openmanage/cm/2009/1/0/mupdefinition.xsdL
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://schemas.dell.com/openmanage/cm/2009/1/1/datamodelcore.xsd
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000002.2937854735.0000000001839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.dell.com/openmanage/cm/2009/1/1/datamodelcore.xsdG
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, package.xml	String found in binary or memory: http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=9DY26
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000002.2937854735.0000000001839000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=9DY26L
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://www.entrust.net/rpa0
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://www.entrust.net/rpa03
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://www.winimage.com/zLibDll/unzip.html
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: http://www.winimage.com/zLibDllH
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, package.xml	String found in binary or memory: https://www.dell.com/support/kbdoc/000201693
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: https://www.entrust.net/rpa0

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Code function: String function: 00828AA8 appears 295 times
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Code function: String function: 00826690 appears 65 times

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Static PE information: Resource name: BIN type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Static PE information: Resource name: BIN type: PE32+ executable (console) x86-64, for MS Windows
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Static PE information: Resource name: BIN type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Static PE information: Resource name: BIN type: PE32 executable (console) Intel 80386, for MS Windows
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Static PE information: Resource name: BIN type: PE32+ executable (console) Aarch64, for MS Windows
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Static PE information: Resource name: BIN type: PE32+ executable (DLL) (GUI) Aarch64, for MS Windows

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000000.1690480176.0000000000EEC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamezlibwapi.dll2 vs Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDUPFramework.exe , vs Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Binary or memory string: OriginalFilenamezlibwapi.dll2 vs Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Binary or memory string: OriginalFilenameDUPFramework.exe , vs Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean18.evad.winEXE@1/9@0/0

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Code function: 0_2_008B49A0 CoCreateInstance,

0_2_008B49A0

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Code function: 0_2_0086C390 LoadResource,LockResource,SizeofResource,

0_2_0086C390

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\104[1]

Jump to behavior

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: # Exit Codes for Appx-Installer: Global Variable.
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: # Logging for Appx-Installer.
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: <installertype>custom</installertype>
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	String found in binary or memory: </InstallInstruction>

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

File read: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Static PE information: certificate valid

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Static file information: File size 50595424 > 1048576

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x59ac00
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x110a00
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2b7400

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Static PE information: More than 200 imports for KERNEL32.dll

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\_GitRepos\libraries\zlib\src\contrib\vstudio\vc17\x86\MiniUnzipRelease\miniunz.pdb source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source:	Binary string: C:\_GitRepos\IC\libraries\zlib\src\contrib\vstudio\vc17\ARM64\Release\miniunz.pdb source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source:	Binary string: C:\_GitRepos\libraries\zlib\src\contrib\vstudio\vc17\x86\ZlibDllRelease\zlibwapi.pdb source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source:	Binary string: C:\_GitRepos\libraries\zlib\src\contrib\vstudio\vc17\arm64\ZlibDllRelease\zlibwapi.pdb source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source:	Binary string: C:\_GitRepos\libraries\zlib\src\contrib\vstudio\vc17\x64\ZlibDllRelease\zlibwapi.pdb source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Source:	Binary string: C:\_ThirdPartyLibraries\zlib-1.2.13\contrib\vstudio\vc17_Fromvc14\x64\MiniUnzipRelease\miniunz.pdb source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Static PE information: section name: .didat
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\WMI : MSSMBios_RawSMBiosTables

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Memory allocated: 3EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Memory allocated: 5400000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Memory allocated: 5580000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Memory allocated: 87D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Memory allocated: 9A20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

API coverage: 9.2 %

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Code function: 0_2_0089D3E0 FindFirstFileW,		0_2_0089D3E0
Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	Code function: 0_2_008C7FC0 FindFirstFileW,FindNextFileW,FindClose,		0_2_008C7FC0

Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000003.1691791230.00000000018C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000003.1691791230.00000000018C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000003.1691791230.00000000018C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000003.1691791230.00000000018C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000003.1691791230.00000000018C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000003.1691791230.00000000018C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000003.1691791230.00000000018C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000003.1691791230.00000000018C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000003.1691791230.00000000018C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000002.2937854735.00000000018B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Code function: 0_2_00888820 SetDllDirectoryW,GetCurrentProcess,IsWow64Process,GetSystemWow64DirectoryA,AddDllDirectory,GetSystemDirectoryW,AddDllDirectory,SetDefaultDllDirectories,SetUnhandledExceptionFilter,

0_2_00888820

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Code function: GetLocaleInfoW,

0_2_0089D870

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Code function: 0_2_008B7180 GetVersionExW,

0_2_008B7180

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.entrust.net/g2ca.crl0	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
https://www.dell.com/support/kbdoc/000201693	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, package.xml	false		unknown
http://schemas.dell.com/openmanage/cm/2009/1/1/datamodelcore.xsdG	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000002.2937854735.0000000001839000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.dell.com/openmanage/cm/2009/1/0/mupdefinition.xsd	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://schemas.dell.com/openmanage/cm/2009/1/1/datamodelcore.xsd	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://ocsp.entrust.net03	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false	URL Reputation: safe	unknown
http://ocsp.entrust.net01	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://www.entrust.net/rpa03	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false	URL Reputation: safe	unknown
http://ocsp.entrust.net00	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://www.winimage.com/zLibDllH	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://schemas.dell.com/openmanage/cm/2009/1/0/mupdefinition.xsdL	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000002.2937854735.0000000001839000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_ErrorError	DellPair-Setup-x64.exe	false	URL Reputation: safe	unknown
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://www.winimage.com/zLibDll/unzip.html	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://aia.entrust.net/ts2-chain256.p7c01	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=9DY26L	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, 00000000.00000002.2937854735.0000000001839000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/csbr1.crl0	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://www.winimage.com/zLibDll	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false	URL Reputation: safe	unknown
http://relaxng.org/ns/structure/1.0	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://aia.entrust.net/evcs2-chain.p7c01	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://crl.entrust.net/ts2ca.crl0	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://schemas.dell.com/openmanage/cm/2/0/mupdefinition.xsd	mup.xml	false		unknown
http://crl.entrust.net/evcs2.crl0	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://www.entrust.net/rpa0	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false		unknown
http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=9DY26	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE, package.xml	false		unknown
https://www.entrust.net/rpa0	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544696
Start date and time:	2024-10-29 16:30:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Detection:	CLEAN
Classification:	clean18.evad.winEXE@1/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .EXE

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, ocsp.entrust.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Dell\UpdatePackage\Log\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.txt

Download File

Process:	C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1036
Entropy (8bit):	3.6785900180648485
Encrypted:	false
SSDEEP:	24:Q+72MCllu3cVlorEChhdfw/rns5FCQ5WzY:r72bMcVloYyhduTsbCQ0Y
MD5:	09B1FEF34BE8EA5C517D016760B199C9
SHA1:	0BB0B458A132B8A287484AB0C306778B152D7C24
SHA-256:	C10444A069B8BB043CC793B8E0E1D1E65F02642FB877B0067FD67875A0A64B6C
SHA-512:	AC9D896E5C4AD070AD803FE5D17A0952254061281813EF18880F9CD2E16CF9B30378F115ED0FC5BC927DE0E0421B52D0E3269C4E8A3B2DDD4A940F114B9A99EA
Malicious:	false
Reputation:	low
Preview:	..[.T.u.e. .O.c.t. .2.9. .1.1.:.3.1.:.0.4. .2.0.2.4.]...U.p.d.a.t.e. .P.a.c.k.a.g.e. .E.x.e.c.u.t.i.o.n. .S.t.a.r.t.e.d.....[.T.u.e. .O.c.t. .2.9. .1.1.:.3.1.:.0.4. .2.0.2.4.]...O.r.i.g.i.n.a.l. .c.o.m.m.a.n.d. .l.i.n.e.:. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.D.e.s.k.t.o.p.\.D.e.l.l.-.P.a.i.r.-.A.p.p.l.i.c.a.t.i.o.n._.9.D.Y.2.6._.W.I.N._.1...2...4._.A.0.0.-.0.0...E.X.E.".....[.T.u.e. .O.c.t. .2.9. .1.1.:.3.1.:.0.4. .2.0.2.4.]...D.U.P. .F.r.a.m.e.w.o.r.k. .E.X.E. .V.e.r.s.i.o.n.:. .5...2...0...2.1.....[.T.u.e. .O.c.t. .2.9. .1.1.:.3.1.:.0.4. .2.0.2.4.]...D.U.P. .R.e.l.e.a.s.e.:. .9.D.Y.2.6.A.0.0.-.0.0.....[.T.u.e. .O.c.t. .2.9. .1.1.:.3.1.:.0.4. .2.0.2.4.]...I.n.i.t.i.a.l.i.z.i.n.g. .f.r.a.m.e.w.o.r.k...........[.T.u.e. .O.c.t. .2.9. .1.1.:.3.1.:.0.4. .2.0.2.4.]...D.a.t.a. .i.n. .s.m.b.i.o.s. .t.a.b.l.e. .i.s. .(.h.e.x.).v.a.l.u.e. .=. .1. .,. .C.h.a.s.i.s. .t.y.p.e. .(.h.e.x.).v.a.l.u.e. .=. .1. .,. .S.y.s.t.e.m. .t.y.p.e. .i.s. .:. .C.l.i.e.n.t. .....[.T.u.e. .O.c.t. .2.9. .1.1.:.3.1.:.0.

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Download File

Process:	C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:	3:Ztt:T
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\104[1]

Download File

Process:	C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3733
Entropy (8bit):	5.060783478110982
Encrypted:	false
SSDEEP:	48:omMqyjVIpOBi4HXiaxIuocTX/+lJWllmcTujIJSY2/9LsciBKewxV5lD7Kka:yHRzYuoCy4XmcT6wK/9L225c
MD5:	479E26A07D3D851BA0D877594B2C5956
SHA1:	9DBFCAC52078F282779577090358FA44972B9815
SHA-256:	05062B44CBAFBEAAE53AD9F5A093DB4F2A0E27548749A74FBB466091F371D302
SHA-512:	08DD0E3614036D79FED850531FFD5C5937B4A6360702E12907BB67A717486C0D86153FE52DFDC813C1D31AACF1F3454DDD2073F17C3E5CC8E7A22EBA8791DAF4
Malicious:	false
Reputation:	low
Preview:	.<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://www.w3.org/1999/xhtml" lang="en">..<head>.. <title>DUP Main Screen</title> this is not actually used, but the IDEs complain with no title -->.. <meta content="text/html; charset=utf-8" http-equiv="Content-Type" />.. <meta http-equiv="page-enter" content="blendTrans(Duration=.33)" />.... <link rel="stylesheet" type="text/css" href="styles.css" />.. Modified styles for legacy IE systems -->.. [if lte IE 6]>.. <link rel="stylesheet" type="text/css" href="ielegacy.css" />.. <![endif]-->.... <script type="text/javascript" src="script.js"></script>.. WARNING: only use exact px size units for OS DPI independant sizing (EVEN FONTS!) -->..</head>....<body>.. <div id="header">.. <div style="height:10px"></div>.. <label id="headLogoLPad"> space --></label>.. <label id="headLogo" sty

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\info_normal[1]

Download File

Process:	C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
File Type:	PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1184
Entropy (8bit):	6.555093314216707
Encrypted:	false
SSDEEP:	24:T1hnBWwjx82lY2T3eVacQGyJ3Vg1KzG4SE+/8w/odr3QLLv:Z1kNn2ySJ3FmE+PodMv
MD5:	A932EB14B05652327DE09E8194F85768
SHA1:	55C295383057191919963B24B57F5FAF75D2F11D
SHA-256:	FACF4CD9D8C8005B7A605F05491A115B20AFF914F190A49139407D7DCF5743BF
SHA-512:	1DCCA37C5B03C318C676A06B2E491585B804659E2376DA13C62D76B837D5E94E42E6F6A357B7003F57F6C486563304CD3BB060CD9B236059F5247D41C4934793
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............;mG.....tEXtSoftware.Adobe ImageReadyq.e<...&iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:AD2B2226AB2911E49E2B82C57D30560D" xmpMM:DocumentID="xmp.did:AD2B2227AB2911E49E2B82C57D30560D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:AD2B2224AB2911E49E2B82C57D30560D" stRef:documentID="xmp.did:AD2B2225AB2911E49E2B82C57D30560D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>5.'+....IDATx.bd@.....d..........{ ....x.C..;d-.h.d..v .g..>.q%...........@..A.&$.`....p!.!.H..!.P}@C a.M...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\close_hover[1]

Download File

Process:	C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
File Type:	PNG image data, 26 x 26, 8-bit/color RGB, interlaced
Category:	modified
Size (bytes):	1471
Entropy (8bit):	6.910245155716432
Encrypted:	false
SSDEEP:	24:j1hnBWwh82lYSKwW419aFVjV6FV4T3eyJ3V36ioG4AleoSTl6AOesxFedlO7:p1kvnLy9aFN4F2BJ3lmw3dey7
MD5:	01684E4CF0F22309B883AB2DA4FCDCC1
SHA1:	E6FBB9F52942556E6334F15F14E714E47A3E15EB
SHA-256:	AACAB6AE289DCD836C1DA6366B69290B389DCD89C5511A029E5A173FF272E0DC
SHA-512:	E820420389179A60447747CC5C811B818D8FAD99EEA62183E74FA4B83AB7C483B3BB506C13F287217CC23881D964800F8332C1EABBBB212574831ECC6C366B22
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............Q/......tEXtSoftware.Adobe ImageReadyq.e<...niTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9EFB6187A5CAE11197DFCAEC59020C25" xmpMM:DocumentID="xmp.did:9BFC5E9BC82B11E4AE08E30DDBE65FDD" xmpMM:InstanceID="xmp.iid:9BFC5E9AC82B11E4AE08E30DDBE65FDD" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:f51d4317-4b7b-8b42-9628-ae96ad6a8e73" stRef:documentID="xmp.did:6B5F6003C81F11E4993381DFE7B8B66E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.k......IDATx.b.Yq.....xs.6.A9p...+.B8.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\script[1]

Download File

Process:	C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	458
Entropy (8bit):	4.897196426335853
Encrypted:	false
SSDEEP:	12:xbQFCv1dIDRRvyJ0rCNDRRvyJ0f9M0mDRRvyJ0NMTdIDRRvyJ0M:1e9RRvyJ0rGRRvyJ0VD+RRvyJ0NpRRvW
MD5:	762247EE6432B6FE87058C092B4B64EF
SHA1:	B7380028C839F31E7D21C59F267201C6DE130D6E
SHA-256:	DF735D8704AB406C120B10482BFBF7755C81E9E2BAE6B20E86793102430AEA07
SHA-512:	159E680C3B5534E1787B318BE449DE85393C67010FB13C8FAAE16065647675B74037BD02EF850B8233B3BE366D86ACA1D8342E3D6F1294D1F6595A9D5D900796
Malicious:	false
Preview:	..function GoPage(file)..{...window.location = file;..}....function SetPrimaryHover(name)..{...document.getElementById(name).className="primary_hover";..}.....function SetPrimaryNormal(name)..{...document.getElementById(name).className="primary_up";..}....function SetSecondaryNormal(name)..{...document.getElementById(name).className="secondary_up";..}....function SetSecondaryHover(name)..{...document.getElementById(name).className="secondary_hover";..}..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\close_normal[1]

Download File

Process:	C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
File Type:	PNG image data, 26 x 26, 8-bit/color RGBA, interlaced
Category:	dropped
Size (bytes):	1323
Entropy (8bit):	6.629160627437111
Encrypted:	false
SSDEEP:	24:c1hnBWwh82lYSKwW4jiVvT3eyJ3V36ioGXGZVsb4gBaxkyG8:C1kvnLiiFBJ3lmAe6bLBaxK8
MD5:	476D6E57122F68EFDD4C7C36E9FE1E5D
SHA1:	7C665BC3CE2BCB9DB543F5DBEC812B421B6D79F3
SHA-256:	53B4F26194DA0CD25B57B39D205B2E3BCBD1C008DCE76C3A69FF9FF8ABF7084B
SHA-512:	F47B50333045C7D69C5D8FB3E167C64D3E3695873B8E09E232961238155BBD78B7C43C32B3EA7D618BBDC4B9113E841EA46389303DBD03A42E67191E370E2B16
Malicious:	false
Preview:	.PNG........IHDR..............M\|X....tEXtSoftware.Adobe ImageReadyq.e<...niTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9EFB6187A5CAE11197DFCAEC59020C25" xmpMM:DocumentID="xmp.did:8306B931C82B11E4BAD9FF15C4406F26" xmpMM:InstanceID="xmp.iid:8306B930C82B11E4BAD9FF15C4406F26" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:f51d4317-4b7b-8b42-9628-ae96ad6a8e73" stRef:documentID="xmp.did:6B5F6003C81F11E4993381DFE7B8B66E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..h....SIDATx.b...?.2`........,P..&..@..f0a3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\logo[1]

Download File

Process:	C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1492
Entropy (8bit):	6.928863482984696
Encrypted:	false
SSDEEP:	24:n1hnBWwh82lYSKw7W2+XcKAVjAT3eyJ3V9H8i1aTGadcj4J2GJCTsGRx2LRq:11kvnLN/CVABJ3vz10Z60ssGR20
MD5:	9EE20B8883F606D34DBE94D190A64712
SHA1:	6723512C89C002D68ACB77F199107A5CE432B2AC
SHA-256:	A2F9710779C921967E15D9B33044E97C2B34445CB73C32B615C46EDAEEFE5A05
SHA-512:	A51E07BC805DDD0EA14423CD313737FD3EF3BB2DC4C22A5A3F1EF75275212543C9C5F1C5E820A0E182ECE30176F7014F6DDDB5D9084CA179846972A23D962ADD
Malicious:	false
Preview:	.PNG........IHDR.............;0......tEXtSoftware.Adobe ImageReadyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:253eec5c-67e3-4741-902c-87fbcba2f344" xmpMM:DocumentID="xmp.did:B482D68FC83811E4A838E1B8FBB540A9" xmpMM:InstanceID="xmp.iid:B482D68EC83811E4A838E1B8FBB540A9" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6acbe659-eaca-0242-bc58-99e7b468083b" stRef:documentID="adobe:docid:photoshop:23ee457b-c833-11e4-b365-d86b3ace611c"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.......IDATx...J.A..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\styles[1]

Download File

Process:	C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4637
Entropy (8bit):	5.075005323177124
Encrypted:	false
SSDEEP:	96:LwIbbBIQIhPmzTm58b/Lw0PZB8uoItbT10BUhFd3C3FV31E1g3T/:LwIbyHhPmzTm0/n8Yt/10BUh/3C333uc
MD5:	99010FE50AB0F704DCEE7428CEE81A64
SHA1:	6686647E7D6239DBD1562B33735803BF240098CD
SHA-256:	81E0E10A20913964F61DBE198382CF2CDFF0486E94068B655C288D9805EE2AEA
SHA-512:	D8AC222B851C0E9AC949AED8027744D51D530192C381FE7469EE818B3E34036DB2D0CBBE4E33FF46355C7E9D264B69C40A5DF6B98DE7453179B059324AEC7497
Malicious:	false
Preview:	.../* Common styles across all IE versions /../ WARNING: only use exact px size units for OS DPI independant sizing (EVEN FONTS!) /....body..{...height:286px;...background: #ffffff;...padding: 0;...margin: 0;...border-width: 1px;...border-color:#575859;...border-style:solid;...border-collapse:collapse;...color: #575859;...font: normal normal normal 100% Museo Sans For Dell, Museo Sans For Dell, sans-serif;...font-size: 12px; / only use px size for OS DPI independant sizing (not pt) */...cursor: default;..}....table..{.. .padding: 0;...margin: 0;...border: 0px;...border-collapse: collapse;..}....tr..{...padding: 0;...margin: 0;...border-collapse:collapse..}....td..{...padding: 0;...margin: 0;...border: 0px;...border-collapse: collapse;...}....button{.....text-decoration: none;.. padding: 0;...border: 0px;...border-collapse: collapse;... cursor:pointer;...list-style-type: none;...width:100px;...height:29px;..}........img..{...border:0px..}....a..{...text-decoration: none;..}.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.856297210469967
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
File size:	50'595'424 bytes
MD5:	51ef7e32d7120c644fabee284af7501a
SHA1:	a20a8860ce64896c98754d14e7c1d5c9e9649a25
SHA256:	f8ee0959e12e3a3537cc2f7290f06b4a18303543c6988df99599bb0cf80732a3
SHA512:	5959bc6e4a13daf295bc934626b01655101954ed08cb340b2081b492a60ae3c8ff5da266ebcb9f8b3fd6278144828ced772951019a6f6101428ae3324dfebf8b
SSDEEP:	786432:RUDHRtr45XL1XkeeVtk42vMcftxDf8BZfWL4SVe1EhkLb2JZkFYiFDo7btGtd21:RUjRtPdf+fOmFGEhkLb2JZkFz8
TLSH:	43B72320795049F9E9E3003285EDEEFDA63EE1304B3865E79244076D7A293D31B35AE7
File Content Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........\ly.=..=..=..E.+.=..A..=..E.+.=..E.+A=..E.+.=..E.+.=..A.+.=..A.+.=..A.+.=.1c.+.=..=..>.hA.+.=..A.+.<.bA.+.=.

File Icon


Icon Hash:	e4c8d8ec6cf4b186

Static PE Info

General

Entrypoint:	0x40d3a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D73FF3 [Thu Feb 22 12:37:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6b38e9fd2147f6565de05946cf19f483

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Entrust Code Signing CA - OVCS2, O="Entrust, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	21/09/2023 16:31:26 21/09/2024 16:31:25
Subject Chain	CN=Dell Inc, OU=DUP Client Creation Service, O=Dell Inc, L=Round Rock, S=Texas, C=US
Version:	3
Thumbprint MD5:	7108E5001732E01BD0AD75719233268E
Thumbprint SHA-1:	BB26AF283356F485A8BC28226DE1EDEFBF6CD4C7
Thumbprint SHA-256:	F227A583F0ECE80C40BC513D7DA160859E95A64746E149C228B1B27D5724253B
Serial:	29C8CEE0AF20E1F6051698AA181E9488

Entrypoint Preview

Instruction
jmp 00007F38E4D50D98h
jmp 00007F38E4DC538Eh
jmp 00007F38E4C329B4h
jmp 00007F38E4C00735h
jmp 00007F38E4BE3359h
jmp 00007F38E4B3A118h
jmp 00007F38E4B1FEE9h
jmp 00007F38E4B15F41h
jmp 00007F38E498A498h
jmp 00007F38E4DF54DAh
jmp 00007F38E4D48C4Ah
jmp 00007F38E4BF1A75h
jmp 00007F38E4BE4B5Ch
jmp 00007F38E4BB97C1h
jmp 00007F38E4B5D1CBh
jmp 00007F38E4A41905h
jmp 00007F38E495CE00h
jmp 00007F38E4DD0D4Eh
jmp 00007F38E4DABDCDh
jmp 00007F38E4C7CECFh
jmp 00007F38E4C69EB3h
jmp 00007F38E4BE182Fh
jmp 00007F38E4B6C52Bh
jmp 00007F38E4B1CD7Dh
jmp 00007F38E4948348h
jmp 00007F38E4D4660Dh
jmp 00007F38E4CAEA9Ah
jmp 00007F38E4B4924Bh
jmp 00007F38E4B01DA4h
jmp 00007F38E4B02249h
jmp 00007F38E49CD4CAh
jmp 00007F38E4DC41A5h
jmp 00007F38E4DB6C5Ah
jmp 00007F38E4B9FC20h
jmp 00007F38E4B1255Eh
jmp 00007F38E4B11055h
jmp 00007F38E4AC3CACh
jmp 00007F38E4DEEA0Dh
jmp 00007F38E4D58AA3h
jmp 00007F38E4D1DC86h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6ac440	0x4a5	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6c2444	0x28	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6cc000	0x2b7344	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x303dba8	0x2ab8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x984000	0x48ea8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x64a20c	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x647a40	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6c2000	0x444	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x6c4000	0x2a0	.didat
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x59ab35	0x59ac00	2c76e30aabcbaa3886972aff7281ea50	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x59c000	0x1108e5	0x110a00	dc5b31e4327eabd09fd270e7e9020f19	False	0.26783513869784503	data	4.540740678190066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6ad000	0x14cb8	0xc800	94b0df406d743307fb178b3271ba3fb3	False	0.18298828125	data	4.205255949731856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6c2000	0x1b7e	0x1c00	3f1cab5646b3aaa41e954c09143ed798	False	0.33328683035714285	data	5.0144744516825925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6c4000	0x5c76	0x5e00	927951773b2a5d5f7737c54adce7513b	False	0.32509142287234044	data	4.458619011066555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x6ca000	0x309	0x400	c573bd7cea296a9c5d230ca6b5aee1a6	False	0.021484375	data	0.011173818721219527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x6cb000	0x10e	0x200	9af06137fa9cf00850c732d1a3b5890e	False	0.03515625	data	0.11055713125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6cc000	0x2b7344	0x2b7400	26f55f1af01eb0a2660d4f56c0a2b51d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x984000	0x537d4	0x53800	9ea24822d078f47f6774094a2c45c383	False	0.46130297997754494	data	6.211710261042514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
BIN	0x6cd998	0x96ec0	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	English	United States	0.4270693135935397
BIN	0x764858	0x2f4c0	PE32+ executable (console) x86-64, for MS Windows	English	United States	0.5464775355137099
BIN	0x793d18	0x73ec0	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	English	United States	0.46053418587410705
BIN	0x807bd8	0x272c0	PE32 executable (console) Intel 80386, for MS Windows	English	United States	0.5731451934583167
BIN	0x82ee98	0x7369	Unicode text, UTF-8 (with BOM) text, with very long lines (311), with CRLF line terminators	English	United States	0.40375698087662887
BIN	0x836204	0x539b	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.5652945848712797
BIN	0x83b5a0	0x2e8c0	PE32+ executable (console) Aarch64, for MS Windows	English	United States	0.47812290198053037
BIN	0x869e60	0xa9ac0	PE32+ executable (DLL) (GUI) Aarch64, for MS Windows	English	United States	0.33226615019799244
RT_CURSOR	0x913920	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0x913a54	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_CURSOR	0x913b08	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.36363636363636365
RT_CURSOR	0x913c3c	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.35714285714285715
RT_CURSOR	0x913d70	0x134	data	English	United States	0.37337662337662336
RT_CURSOR	0x913ea4	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x913fd8	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x91410c	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.37662337662337664
RT_CURSOR	0x914240	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x914374	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x9144a8	0x134	data	English	United States	0.44155844155844154
RT_CURSOR	0x9145dc	0x134	data	English	United States	0.4155844155844156
RT_CURSOR	0x914710	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.5422077922077922
RT_CURSOR	0x914844	0x134	data	English	United States	0.2662337662337662
RT_CURSOR	0x914978	0x134	data	English	United States	0.2824675324675325
RT_CURSOR	0x914aac	0x134	data	English	United States	0.3246753246753247
RT_BITMAP	0x914be0	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0x914c98	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_ICON	0x914ddc	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	English	United States	0.07998860845637187
RT_ICON	0x956e04	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 0	English	United States	0.19896993903720833
RT_ICON	0x9602ac	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.3549792531120332
RT_ICON	0x962854	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.47795497185741087
RT_ICON	0x9638fc	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.5655737704918032
RT_ICON	0x964284	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.625886524822695
RT_DIALOG	0x9646ec	0x40	data	English	United States	0.8125
RT_DIALOG	0x96472c	0xe8	data	English	United States	0.6336206896551724
RT_DIALOG	0x964814	0x34	data	English	United States	0.9038461538461539
RT_STRING	0x964848	0x234	data	English	United States	0.48404255319148937
RT_STRING	0x964a7c	0x338	data	English	United States	0.3337378640776699
RT_STRING	0x964db4	0x628	data	English	United States	0.258248730964467
RT_STRING	0x9653dc	0x148	data	English	United States	0.4878048780487805
RT_STRING	0x965524	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States	0.7153846153846154
RT_STRING	0x9655a8	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x9655d4	0x184	data	English	United States	0.48711340206185566
RT_STRING	0x965758	0x4ee	data	English	United States	0.375594294770206
RT_STRING	0x965c48	0x264	data	English	United States	0.3333333333333333
RT_STRING	0x965eac	0x2da	data	English	United States	0.3698630136986301
RT_STRING	0x966188	0x8a	data	English	United States	0.6594202898550725
RT_STRING	0x966214	0xac	data	English	United States	0.45348837209302323
RT_STRING	0x9662c0	0xde	data	English	United States	0.536036036036036
RT_STRING	0x9663a0	0x4a8	data	English	United States	0.3221476510067114
RT_STRING	0x966848	0x228	data	English	United States	0.4003623188405797
RT_STRING	0x966a70	0x2c	data	English	United States	0.5227272727272727
RT_STRING	0x966a9c	0x53e	data	English	United States	0.2965722801788376
RT_RCDATA	0x966fdc	0x4bf6	XML 1.0 document, ASCII text, with very long lines (342), with CRLF line terminators	English	United States	0.1410058623881518
RT_RCDATA	0x96bbd4	0xb47	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3321787322480083
RT_RCDATA	0x96c71c	0x2b76	data	English	United States	0.18641021031817365
RT_GROUP_CURSOR	0x96f294	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0294117647058822
RT_GROUP_CURSOR	0x96f2b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f2cc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f2e0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f2f4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f308	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f31c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f330	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f344	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f358	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f36c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f380	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f394	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f3a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x96f3bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x96f3d0	0x5a	data	English	United States	0.7777777777777778
RT_VERSION	0x96f42c	0x3f3c	data	English	United States	0.03317272053372869
RT_HTML	0x973368	0xe95	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.3570854540583981
RT_HTML	0x974200	0x1649	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.3030674846625767
RT_MANIFEST	0x97584c	0x18b	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.6075949367088608
None	0x9759d8	0x75	GIF image data, version 89a, 11 x 11	English	United States	0.8974358974358975
None	0x975a50	0xdb	PNG image data, 11 x 11, 8-bit/color RGBA, non-interlaced	English	United States	0.9954337899543378
None	0x975b2c	0x6b2	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.470828471411902
None	0x9761e0	0x554	GIF image data, version 89a, 26 x 26	English	United States	0.7727272727272727
None	0x976734	0x5bf	PNG image data, 26 x 26, 8-bit/color RGB, interlaced	English	United States	0.8096532970768185
None	0x976cf4	0x4c3	GIF image data, version 89a, 26 x 26	English	United States	0.7547169811320755
None	0x9771b8	0x56c	PNG image data, 26 x 26, 8-bit/color RGBA, interlaced	English	United States	0.7694524495677233
None	0x977724	0x552	GIF image data, version 89a, 26 x 26	English	United States	0.7709251101321586
None	0x977c78	0x5a8	PNG image data, 26 x 26, 8-bit/color RGB, interlaced	English	United States	0.787292817679558
None	0x978220	0x4c3	GIF image data, version 89a, 26 x 26	English	United States	0.7555373256767842
None	0x9786e4	0x52b	PNG image data, 26 x 26, 8-bit/color RGBA, interlaced	English	United States	0.7732426303854876
None	0x978c10	0x11fb	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.33934390614816423
None	0x979e0c	0x596	GIF image data, version 89a, 24 x 24	English	United States	0.7559440559440559
None	0x97a3a4	0x5f3	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	English	United States	0.8036769533814839
None	0x97a998	0x57c	GIF image data, version 89a, 24 x 24	English	United States	0.7649572649572649
None	0x97af14	0x576	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	English	United States	0.7811158798283262
None	0x97b48c	0x4dc	GIF image data, version 89a, 24 x 24	English	United States	0.7821543408360129
None	0x97b968	0x4cc	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	English	United States	0.742671009771987
None	0x97be34	0x385	GIF image data, version 89a, 60 x 60	English	United States	0.16426193118756938
None	0x97c1bc	0x13c	PNG image data, 60 x 60, 8-bit/color RGBA, non-interlaced	English	United States	0.9462025316455697
None	0x97c2f8	0x1ca	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.5611353711790393
None	0x97c4c4	0x1649	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.3030674846625767
None	0x97db10	0x46f	GIF image data, version 89a, 17 x 17	English	United States	0.760352422907489
None	0x97df80	0x498	PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced	English	United States	0.7551020408163265
None	0x97e418	0x4e0	GIF image data, version 89a, 17 x 17	English	United States	0.749198717948718
None	0x97e8f8	0x4a0	PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced	English	United States	0.731418918918919
None	0x97ed98	0x50e	GIF image data, version 89a, 30 x 30	English	United States	0.7851622874806801
None	0x97f2a8	0x5d4	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	English	United States	0.811662198391421
None	0x97f87c	0xe95	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.3570854540583981
None	0x980714	0x1ca	ASCII text, with CRLF line terminators	English	United States	0.3624454148471616
None	0x9808e0	0x121d	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.2607289195600604
None	0x981b00	0x898	GIF image data, version 89a, 48 x 48	English	United States	1.005
None	0x982398	0xfac	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.0027417746759721

Imports

DLL

Import

KERNEL32.dll

GetLastError, LoadResource, LockResource, SizeofResource, FindResourceW, MultiByteToWideChar, FreeLibrary, LoadLibraryExW, LocalFree, FormatMessageW, CreateDirectoryW, CreateFileW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetFileAttributesW, GetFullPathNameW, GetShortPathNameW, GetTempFileNameW, ReadFile, RemoveDirectoryW, SetFileAttributesW, CloseHandle, SetUnhandledExceptionFilter, WaitForSingleObject, WaitForSingleObjectEx, GetCurrentProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, GetSystemDirectoryW, GetVersionExW, IsWow64Process, GetSystemWow64DirectoryA, GetModuleFileNameW, GetModuleHandleW, AddDllDirectory, SetDefaultDllDirectories, SetDllDirectoryW, CopyFileW, WideCharToMultiByte, GetLocaleInfoW, GetCommandLineW, FindResourceA, LocalAlloc, GetProcAddress, LoadLibraryW, GetCurrentProcessId, FreeConsole, AttachConsole, DecodePointer, HeapDestroy, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, GetModuleHandleA, GetModuleFileNameA, DuplicateHandle, InitializeCriticalSection, GetCurrentThread, GetCurrentThreadId, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemDirectoryA, LoadLibraryA, FindVolumeClose, RaiseException, InitializeCriticalSectionAndSpinCount, Sleep, GetLogicalDriveStringsA, GetVolumeInformationA, FindFirstVolumeA, GetSystemFirmwareTable, GetStdHandle, SetCurrentDirectoryA, GetCurrentDirectoryA, FindFirstFileA, FindNextFileA, CreateProcessA, GetStartupInfoA, SetDllDirectoryA, GetFileInformationByHandleEx, GetFileTime, SetFileTime, GetSystemTime, SystemTimeToFileTime, GetDateFormatW, GetTimeFormatW, GetTempPathW, GetSystemInfo, FileTimeToLocalFileTime, LocalFileTimeToFileTime, GetSystemTimeAsFileTime, FileTimeToSystemTime, SetLastError, GlobalAlloc, GlobalSize, GlobalUnlock, GlobalLock, GlobalFree, MulDiv, lstrcmpA, OutputDebugStringA, EncodePointer, GlobalDeleteAtom, lstrcmpW, GlobalAddAtomW, GlobalFindAtomW, CompareStringW, FlushFileBuffers, GetFileSize, GetVolumeInformationW, LockFile, SetEndOfFile, SetFilePointer, UnlockFile, WriteFile, lstrcmpiW, MoveFileW, GetStringTypeExW, GetThreadLocale, SetEvent, CreateEventW, SetThreadPriority, SuspendThread, ResumeThread, GetPrivateProfileIntW, GetPrivateProfileStringW, WritePrivateProfileStringW, CompareStringA, GlobalReAlloc, GlobalHandle, LocalReAlloc, GlobalGetAtomNameW, GetAtomNameW, GlobalFlags, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, VirtualProtect, GetFileAttributesExW, GetFileSizeEx, SystemTimeToTzSpecificLocalTime, SetErrorMode, GetCurrentDirectoryW, VerSetConditionMask, lstrcpyW, VerifyVersionInfoW, FindResourceExW, GetWindowsDirectoryW, GetTickCount64, SearchPathW, GetProfileIntW, GetDiskFreeSpaceW, ReplaceFileW, GetUserDefaultLCID, GetTickCount, LocalLock, LocalUnlock, UnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, ResetEvent, IsDebuggerPresent, QueryPerformanceCounter, InitializeSListHead, VirtualQuery, WriteConsoleW, OutputDebugStringW, FormatMessageA, GetStringTypeW, GetLocaleInfoEx, LCMapStringEx, CompareStringEx, GetCPInfo, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, ExitProcess, GetModuleHandleExW, CreateThread, ExitThread, FreeLibraryAndExitThread, SetStdHandle, VirtualAlloc, GetCommandLineA, HeapQueryInformation, QueryPerformanceFrequency, GetConsoleMode, ReadConsoleW, GetConsoleOutputCP, LCMapStringW, IsValidLocale, EnumSystemLocalesW, GetTimeZoneInformation, SetFilePointerEx, SetCurrentDirectoryW, MoveFileExW, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetConsoleCtrlHandler, LoadLibraryExA

Exports

Name	Ordinal	Address
??0DSMIPMIInterfaceImpl@@QAE@XZ	1	0x40d1b1
??1DSMIPMIInterfaceImpl@@UAE@XZ	2	0x40889b
??4DSMIPMIInterfaceImpl@@QAEAAV0@ABV0@@Z	3	0x41976d
??_7DSMIPMIInterfaceImpl@@6B@	4	0x9d8a50
?IPMIRequest@DSMIPMIInterfaceImpl@@QAEIPAU_DSMIPMICommandData@@@Z	5	0x407a77
?Initialize@DSMIPMIInterfaceImpl@@QAEIPBU_DSMIPMIConfiguration@@@Z	6	0x4229ad
?Initialize@DSMIPMIInterfaceImpl@@QAEIVDSMString@@@Z	7	0x40b965
?InitializeDSMLogger@DSMIPMIInterfaceImpl@@AAEXXZ	8	0x40c18f
?Release@DSMIPMIInterfaceImpl@@QAEIXZ	9	0x4075c7
?freePMInfo@@YAHPAUPMInfo@@@Z	10	0x40aa88
?getPMInfo@@YAHHPAPAUPMInfo@@@Z	11	0x406410
?getPMStatus@@YAHXZ	12	0x41279c
?getTestPMInfo@@YAHHPAPAUPMInfo@@@Z	13	0x406ea1
?mDrvHandler@DSMIPMIInterfaceImpl@@0VDriverManager@@A	14	0xabba80

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	11:31:04
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE"
Imagebase:	0x820000
File size:	50'595'424 bytes
MD5 hash:	51EF7E32D7120C644FABEE284AF7501A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.2%
Total number of Nodes:	65
Total number of Limit Nodes:	7

Executed Functions

Function 00888820 Relevance: 30.4, APIs: 9, Strings: 8, Instructions: 689
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDllDirectoryW.KERNEL32(00DC1DDC), ref: 00888872
GetCurrentProcess.KERNEL32(00000000), ref: 008888C4
IsWow64Process.KERNEL32(00000000), ref: 008888D2
GetSystemWow64DirectoryA.KERNEL32(?,00000104), ref: 008888F3
AddDllDirectory.KERNELBASE(?), ref: 00888952
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0088896F
AddDllDirectory.KERNEL32(?), ref: 00888985
SetDefaultDllDirectories.KERNEL32(00000400), ref: 00888999
SetUnhandledExceptionFilter.KERNEL32(Function_0005AEF0), ref: 008889AD

Strings

DupAPI::Init, xrefs: 00888B45
freshinstall, xrefs: 00889184
Update Package Execution Started, xrefs: 00888B80
force, xrefs: 00889292
The parameter force is not found in mup file .. dropping /f from commandline, xrefs: 008892C9
passthrough, xrefs: 00888F10
debug, xrefs: 00889080
The bahaviour freshinstall is not found in mup file .. dropping /i from commandline, xrefs: 008891BB

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: Directory$ProcessSystemWow64$CurrentDefaultDirectoriesExceptionFilterUnhandled
String ID: DupAPI::Init$The bahaviour freshinstall is not found in mup file .. dropping /i from commandline$The parameter force is not found in mup file .. dropping /f from commandline$Update Package Execution Started$debug$force$freshinstall$passthrough
API String ID: 3797414157-3376901661
Opcode ID: 049407f01a2760c26a5e925b919f824912315f6e4bbb9db321c30b267d3ae108
Instruction ID: 2527e39c512b70d7362b77be956e3035cbdaf3354023faefca406f7e380f109e
Opcode Fuzzy Hash: 049407f01a2760c26a5e925b919f824912315f6e4bbb9db321c30b267d3ae108
Instruction Fuzzy Hash: 6E623970D04268DADB14EB68CC55BEEBBB1FF54304F1441D9E049AB282DB756B84CFA2

Function 0089A7E0 Relevance: 32.1, APIs: 5, Strings: 13, Instructions: 639
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failure creating directory: ", xrefs: 0089B01A
Symlink/Junction folder deletion Successful., xrefs: 0089AD45
Symlink/Junction folder deletion failed. Could be a file, xrefs: 0089AC56
5, xrefs: 0089AB8A
FileUtility::CreateDirectoryTree, xrefs: 0089A81F
;XY, xrefs: 0089B029
Creating directory tree: ", xrefs: 0089A94A
Symlink/Junction deletion failed for a file or file does not exist., xrefs: 0089ACB8
Folder creation fails after Symlink/junction deletion, xrefs: 0089ADC6
ModifyACL Error for the Folder: ", xrefs: 0089AE84
EXIT_FAILURE_CREATINGDACL: ", xrefs: 0089A8AB
Symlink/Junction deletion successful for a file., xrefs: 0089ACFD
The error message reported by the system is: , xrefs: 0089B129

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID:
String ID: The error message reported by the system is: $5$Creating directory tree: "$EXIT_FAILURE_CREATINGDACL: "$Failure creating directory: "$FileUtility::CreateDirectoryTree$Folder creation fails after Symlink/junction deletion$ModifyACL Error for the Folder: "$Symlink/Junction deletion failed for a file or file does not exist.$Symlink/Junction deletion successful for a file.$Symlink/Junction folder deletion Successful.$Symlink/Junction folder deletion failed. Could be a file$;XY
API String ID: 0-1638253330
Opcode ID: 14e395e1967359cff072427511192bc990f6022a36795082dd5dabe057ceb876
Instruction ID: f8227accde9090c4d458ecb765cb7ebb05c8a1364dfb682ca151112a9841818d
Opcode Fuzzy Hash: 14e395e1967359cff072427511192bc990f6022a36795082dd5dabe057ceb876
Instruction Fuzzy Hash: 4E527971800268DADB24EB68DD56BDDB770FF51304F1441E9E04AA7292EB745F88CBA3

Function 008D07F0 Relevance: 23.3, APIs: 1, Strings: 12, Instructions: 563
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(00DC5114,00DC5110,00000000,?), ref: 008D08C5

Strings

^[/|-]passthrough[ ]*(.*), xrefs: 008D0CF1
(Exe is empty), xrefs: 008D0972
CCommandLineParser::GetPassthroughParameters, xrefs: 008D0840
/passthrough /factoryinstall, xrefs: 008D0D36
Parse Error from fragment: , xrefs: 008D0FD9
/factoryinstall /passthrough option is given. Parameters to vendor installer: , xrefs: 008D0E29
Original command line : , xrefs: 008D0873
^[" ]*, xrefs: 008D0A9E
/passthrough /factoryinstall option is given. Parameters to vendor installer: , xrefs: 008D0F2B
Parse Error from fragment: , xrefs: 008D092A
/factoryinstall /passthrough, xrefs: 008D0D22
(Parameters are present before passthough), xrefs: 008D1021

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: CommandLine
String ID: (Exe is empty)$ (Parameters are present before passthough)$/factoryinstall /passthrough$/factoryinstall /passthrough option is given. Parameters to vendor installer: $/passthrough /factoryinstall$/passthrough /factoryinstall option is given. Parameters to vendor installer: $CCommandLineParser::GetPassthroughParameters$Original command line : $Parse Error from fragment: $Parse Error from fragment: $^[" ]*$^[/|-]passthrough[ ]*(.*)
API String ID: 3253501508-3621482309
Opcode ID: 6bd96195dffa7001749492f60f752841c34495d7b6792ec978dfc21063fcc497
Instruction ID: f181d5fb2105a212eaa4926f4fb1e38f4349281b99c677ef492b6a3f58e1f44d
Opcode Fuzzy Hash: 6bd96195dffa7001749492f60f752841c34495d7b6792ec978dfc21063fcc497
Instruction Fuzzy Hash: C9427C71801258EADB14EB68CC95BDDBB74FF51304F5481D9E04AA7292DB705F88CFA2

Function 0086AF30 Relevance: 5.1, APIs: 4, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0086AFB3
GetLastError.KERNEL32(?,?), ref: 0086AFE6
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0086B010
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 0086B056

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 939584872a210de9a92b547432cc0ea4cc02fda93f6e8b62e8ee4469ca0bf78a
Instruction ID: 2b54436eb712cb457e4c42d7e13d24c47bffd544bf3e19cfdb0a4752ed4989c4
Opcode Fuzzy Hash: 939584872a210de9a92b547432cc0ea4cc02fda93f6e8b62e8ee4469ca0bf78a
Instruction Fuzzy Hash: 8641E8B5D00218AFDB14DF98C892BAEBBB5FF48304F108558F515EB280D775AE409BD2

Function 00887790 Relevance: 2.1, APIs: 1, Instructions: 577
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59862913c0e71b0d0e87bf64d5be73444231ff204e061f206234b3426621b66c
Instruction ID: 80afe8438550325fbaa37df0b3853fc90063974172b7e1065522f4720f64ea0d
Opcode Fuzzy Hash: 59862913c0e71b0d0e87bf64d5be73444231ff204e061f206234b3426621b66c
Instruction Fuzzy Hash: BD428430D05258DACF14EBA8D856BDDBB74FF65304F2080A8E056A7292DB309F49CB92

Function 0089DE10 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00008023,00000000,00000000,?,3FF913FA), ref: 0089DE7F

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: be68d78c73d48b748dd58518f577c8820c30785650867062ca9abed7595acd73
Instruction ID: 7b530d624186b1bf2c410c63ed8df703226fb59ff5e525fc31463325bb656a61
Opcode Fuzzy Hash: be68d78c73d48b748dd58518f577c8820c30785650867062ca9abed7595acd73
Instruction Fuzzy Hash: 1A317C719052589ADB24EB68DC4ABDDB7B4FB44300F1081A9A40AE7291DB756F88CB92

Function 0086A3B0 Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,?,00000006), ref: 0086A3D6

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 11a433c60bfb1276fcc252ff759db3705b2fcf3b53337be6737e965717b6969f
Instruction ID: 64db61959bdc5eb493977acfe6d30cd1d305044cb5775c3b8d95031dc3f2d31c
Opcode Fuzzy Hash: 11a433c60bfb1276fcc252ff759db3705b2fcf3b53337be6737e965717b6969f
Instruction Fuzzy Hash: 34F090B2D14118BFCB10EF5CD982AAE37A8FB44310F108568F909DB280E675EE40A7D2

Function 008CC290 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetSecurityDescriptorControl.ADVAPI32(00001000,00001000,00001000), ref: 008CC2CA

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: ControlDescriptorSecurity
String ID:
API String ID: 3376414291-0
Opcode ID: 2481dc976966895101dee930fc55e58c2f770e1661cc9185fa415aec0d2bf52b
Instruction ID: 2767b421ae36052edd8ed6e714bd2991c4c979d2e2b68a61e79d016edbe2e257
Opcode Fuzzy Hash: 2481dc976966895101dee930fc55e58c2f770e1661cc9185fa415aec0d2bf52b
Instruction Fuzzy Hash: FFF08CB11402186BDB10AF95C882FAA37A8BB94394F004018F94DCF281DAB6E88187D6

Function 0089A780 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?), ref: 0089A796

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 2495be8726d24eb9f90564e74427f205f42bbcd88a49de7f46a40b6d406b39c5
Instruction ID: eae75628070d65011167405e21212b5a989b61e8be8988a71c2bafffcb7d437e
Opcode Fuzzy Hash: 2495be8726d24eb9f90564e74427f205f42bbcd88a49de7f46a40b6d406b39c5
Instruction Fuzzy Hash: D5E06DB680521CBBCB10EF9D8842AEE7778EB44214F044185E84897340D671AE4097D2

Function 055A0FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2940272397.00000000055A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55a0000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 1a7bc2fc193db2a1a018c7319122b1fa4c48ec4ba8e059f8c95d28fd299d7ded
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 055A0FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2940272397.00000000055A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55a0000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 1a7bc2fc193db2a1a018c7319122b1fa4c48ec4ba8e059f8c95d28fd299d7ded
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Non-executed Functions

Function 008C7FC0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 132fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,3FF913FA), ref: 008C803B

Strings

%ls%ls%ls, xrefs: 008C80AD
%ls\*, xrefs: 008C8003

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: FileFindFirst
String ID: %ls%ls%ls$%ls\*
API String ID: 1974802433-3890807286
Opcode ID: c74c4e7d113d85a549fa40ec0f6e84faaefb30bb40ca92025ff84634ab7129d5
Instruction ID: 117a5454a861cba112526efbb2674345990408688888980e601b0372fdb03718
Opcode Fuzzy Hash: c74c4e7d113d85a549fa40ec0f6e84faaefb30bb40ca92025ff84634ab7129d5
Instruction Fuzzy Hash: 284165B2940518DFCB20EB64DC55F9DB379FB84710F00869DA519E7180EB319E488F95

Function 0086C390 Relevance: 4.6, APIs: 3, Instructions: 82COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,?), ref: 0086C3B5
LockResource.KERNEL32(00000000), ref: 0086C3D8

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: Resource$LoadLock
String ID:
API String ID: 1037334470-0
Opcode ID: 8072fa292b97dfe4cf4f9fecbffe0259e048db0746b7ea4a62a812f4da78656a
Instruction ID: 81630bd1b070a8e9b64fe3436a369b0dabd77288d8b42bb9111d4ec213f3f313
Opcode Fuzzy Hash: 8072fa292b97dfe4cf4f9fecbffe0259e048db0746b7ea4a62a812f4da78656a
Instruction Fuzzy Hash: 80312670D0021DEFCB50EFA8C595ABEB7B5FB48704F218999E845EB244D730AE40DB91

Function 008B7180 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 008B71D4

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 882a303787fa969404a246b08245efec93212e2843823d3fa132fc05a146eb16
Instruction ID: fac5fd2b195157ae8a8ee337b9927c95c6504a848a9627886178760e82732e1f
Opcode Fuzzy Hash: 882a303787fa969404a246b08245efec93212e2843823d3fa132fc05a146eb16
Instruction Fuzzy Hash: 0201DB32D002585BDB20EB6CDC02FDDB7F9EB89310F0000E5E949E7281DA755A5887D2

Function 008B49A0 Relevance: 1.5, APIs: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,?,?,00DC43EC,CCCCCCCC), ref: 008B49C6

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 175531ab89783753e0e9c7840212f4e0f207462ba7bb0b5ec6d4b3da678c0bbd
Instruction ID: 2298dad9f9088133ffd41630ed486964cbcd165546307ff3c6d45dca4382a2de
Opcode Fuzzy Hash: 175531ab89783753e0e9c7840212f4e0f207462ba7bb0b5ec6d4b3da678c0bbd
Instruction Fuzzy Hash: 19E01AB2D45218BF8B10EF8DD882DAFB7ACEF88350B008149F808D7300D671AE5087E6

Function 0089D870 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?), ref: 0089D886

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 044bb8a885f857530cce0c5cb6002e11ec341037aa26df8a180897f8505945bf
Instruction ID: 8af049b099d40b6898194a87ec310947f9a5d28e2ded56a9bc54cedfcdf13e22
Opcode Fuzzy Hash: 044bb8a885f857530cce0c5cb6002e11ec341037aa26df8a180897f8505945bf
Instruction Fuzzy Hash: DCD0177210062C6F8B00EF9DE882C9A73ACAB8C210B404104FA1CD7640C630EC8087E2

Function 0089D3E0 Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0089D3EE

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0c0bf7eb06061cb366215cc5b8901239b988420ada33424209dcc16d7f02e180
Instruction ID: 9bb058eb9c0e011ee2d5c75a32ad75cdcd295f8996870e789495a21b32b83b5e
Opcode Fuzzy Hash: 0c0bf7eb06061cb366215cc5b8901239b988420ada33424209dcc16d7f02e180
Instruction Fuzzy Hash: 43D0123201072C6F8650BB9DD882DDD779CAE48260B404145F90CDB541CA75FC8087D2

Function 008B8A50 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 382fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,00000000,FileUtility::WritePayloadContents,3FF913FA,?,?,?,00D78C78,000000FF), ref: 008B8AD7
CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,?), ref: 008B8C17
ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 008B8C48
CloseHandle.KERNEL32(?), ref: 008B8C98

Strings

Unicode payload log file detected: , xrefs: 008B8CB2
Failed to concatenate, xrefs: 008B8D9C, 008B8F30
Failed to copy, xrefs: 008B8D1E, 008B8EB2
No payload file log file created., xrefs: 008B8B3A
FileUtility::WritePayloadContents, xrefs: 008B8A93
ASCII payload log file detected: , xrefs: 008B8E46
Log File Name: , xrefs: 008B8D01, 008B8E95

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: File$AttributesCloseCreateHandleRead
String ID: ASCII payload log file detected: $Failed to concatenate$Failed to copy$FileUtility::WritePayloadContents$Log File Name: $No payload file log file created.$Unicode payload log file detected:
API String ID: 2880068760-1282105430
Opcode ID: a7f22dbca49be6442ade995837a613834ceda0a6b594abbb5cf73b9e39985e5c
Instruction ID: f612eab636aac92f40bb5d7bd666750d450e70d2484ee1cdbe1e30048f6b6fef
Opcode Fuzzy Hash: a7f22dbca49be6442ade995837a613834ceda0a6b594abbb5cf73b9e39985e5c
Instruction Fuzzy Hash: 92F15C71800228DACB24EB68CC96BEDB778FF54300F444199F14AE7592DF745B88CBA2

Function 00888330 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 290COMMON

Download Yara Rule

APIs

SetDllDirectoryW.KERNEL32(00000000), ref: 008883FB
SetDllDirectoryW.KERNEL32(00000000), ref: 0088846D

Strings

Manufacturers name : , xrefs: 0088855B
Failed to obtain Personality Information, xrefs: 00888480
Entered GetPersonalityInfo,Waiting for results...from PMDataCollector.lib->getPMInfo(), xrefs: 00888408
OFF, xrefs: 00888707
Copied all Personality Information to Framework, xrefs: 00888717
DupAPI::GetPersonalityInfo, xrefs: 0088837B
\hapi, xrefs: 008883AA
Data Location : , xrefs: 00888609
Obtained Personality Information, xrefs: 008884F5

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: Directory
String ID: Copied all Personality Information to Framework$Data Location : $DupAPI::GetPersonalityInfo$Entered GetPersonalityInfo,Waiting for results...from PMDataCollector.lib->getPMInfo()$Failed to obtain Personality Information$Manufacturers name : $OFF$Obtained Personality Information$\hapi
API String ID: 3297363577-1749413133
Opcode ID: d260d89ca9029011839f76cb2bfcc21b5db3a4825fde22cca70e134e53e4e283
Instruction ID: 602918edcd49e80d08998e92d6628f6a3c2573248c27918de10ac3ef5dcc382d
Opcode Fuzzy Hash: d260d89ca9029011839f76cb2bfcc21b5db3a4825fde22cca70e134e53e4e283
Instruction Fuzzy Hash: C5D13A71800258DBDB15EBA8CD91BDDBBB4FF55304F108199E14AA7292DB705F88CFA2

Function 0088C7C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,BIN,3FF913FA), ref: 0088C80D
FindResourceW.KERNEL32(00000000), ref: 0088C81B
GetModuleHandleW.KERNEL32(00000000,00000000), ref: 0088C83F
LoadResource.KERNEL32(00000000), ref: 0088C84D
LockResource.KERNEL32(?), ref: 0088C863
GetModuleHandleW.KERNEL32(00000000,00000000), ref: 0088C87D
SizeofResource.KERNEL32(00000000), ref: 0088C88B

Strings

BIN, xrefs: 0088C7FF

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: Resource$HandleModule$FindLoadLockSizeof
String ID: BIN
API String ID: 3835513469-1015027815
Opcode ID: 70b9f2f5dab6cacb2a96e3b6a58b6cfe01fd4f8cc60cb98fe8656fce8da7750d
Instruction ID: f290f8eaf97e5c80e4ff99b7ad6fc94e4b8d1d7a5ced95b22ea31c3dc42d8398
Opcode Fuzzy Hash: 70b9f2f5dab6cacb2a96e3b6a58b6cfe01fd4f8cc60cb98fe8656fce8da7750d
Instruction Fuzzy Hash: C3412E72900218AFCB14EFA9D946B9EB7B5FB84310F104618F515EB291DB75AE04CBE2

Function 00863440 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 131registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,00DBD680,00000000,000F003F,?,?,00000000,EnableAutoPlay,3FF913FA), ref: 008634C7
RegCloseKey.ADVAPI32(?), ref: 00863578

Strings

DisableAutoplay, xrefs: 00863504
DisableAutoplay, xrefs: 0086355C
Failed - Restoring default value for pop-up control registry, xrefs: 0086351E
EnableAutoPlay, xrefs: 0086347C
HKCU Enable Autoplay Failed, xrefs: 00863587

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: CloseOpen
String ID: DisableAutoplay$DisableAutoplay$EnableAutoPlay$Failed - Restoring default value for pop-up control registry$HKCU Enable Autoplay Failed
API String ID: 47109696-4014728294
Opcode ID: 94bb1575a5d86d3fe2879fa81ed7be4c1ee792c925dc40cada2e9f7d313f90fe
Instruction ID: 064fd38497bac728281e1364cbfb0be114161df9b735a2dadc5557dc72873218
Opcode Fuzzy Hash: 94bb1575a5d86d3fe2879fa81ed7be4c1ee792c925dc40cada2e9f7d313f90fe
Instruction Fuzzy Hash: EC419E72900218EFDB14EB98DC86FEDB774FB44704F504259E116BB291DF746A09CB92

Function 0088A170 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 206COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0088A367

Strings

Executable mentioned in MUP.xml does not contain extension: , xrefs: 0088A289
<, xrefs: 0088A30E
Shell Execute Error. System error text = , xrefs: 0088A3A5
Working Directory: , xrefs: 0088A228
DupAPI::Execute, xrefs: 0088A1B4
Command: , xrefs: 0088A1E6

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: ErrorLast
String ID: <$Command: $DupAPI::Execute$Executable mentioned in MUP.xml does not contain extension: $Shell Execute Error. System error text = $Working Directory:
API String ID: 1452528299-2707517293
Opcode ID: 2202386c704aa8e46ca65951853b851c397580ce197aefb80cc97b7ec4bd052e
Instruction ID: 702a872769a103a3aad6613ac72a6fd98ac377d93f46afcd1bc95e958e659344
Opcode Fuzzy Hash: 2202386c704aa8e46ca65951853b851c397580ce197aefb80cc97b7ec4bd052e
Instruction Fuzzy Hash: B1914A71C00258DADB24EB98DC55FDDB7B4FF54300F1082A9E116A7291EB705F89CB92

Function 008703C0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0087043C
CoUninitialize.COMBASE ref: 0087050A

Strings

DellInstaller::getOSBuildNumberAndMajorVersion, xrefs: 00870404
OS Build number and Major version are successfully fetched, xrefs: 008705EF
COM Initialization failed. CoInitializeEx() has returned , xrefs: 00870456
COM objects cleaned up, xrefs: 008704C5

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: InitializeUninitialize
String ID: COM Initialization failed. CoInitializeEx() has returned $COM objects cleaned up$DellInstaller::getOSBuildNumberAndMajorVersion$OS Build number and Major version are successfully fetched
API String ID: 3442037557-3233016000
Opcode ID: 449c29eae954520c9bcd92da066cbe710a84cee4e3faba5fb21f9685a0433dcc
Instruction ID: 183505eb52292faaa8f684ab5a151b3f18a1ec3caf17eded4a54fcd4c9136d4c
Opcode Fuzzy Hash: 449c29eae954520c9bcd92da066cbe710a84cee4e3faba5fb21f9685a0433dcc
Instruction Fuzzy Hash: 55816C71801268DACB15EBA8CD56BDDBBB4FF55300F1041D9E14AB7292EB741F48CBA2

Function 0088F0C0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0088F13C
CoUninitialize.COMBASE ref: 0088F20A

Strings

DupAPI::getOSBuildNumberAndMajorVersion, xrefs: 0088F104
COM Initialization failed. CoInitializeEx() has returned , xrefs: 0088F156
OS Build number and Major version are successfully fetched, xrefs: 0088F2EF
COM objects cleaned up, xrefs: 0088F1C5

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: InitializeUninitialize
String ID: COM Initialization failed. CoInitializeEx() has returned $COM objects cleaned up$DupAPI::getOSBuildNumberAndMajorVersion$OS Build number and Major version are successfully fetched
API String ID: 3442037557-942405743
Opcode ID: bce0490e767ffb178f10a4aee30807a42859e6a5e1b4a134db0eeb3828d6829c
Instruction ID: 270472b982650fe7672bc372b76fb5b05be18d0d8341257464bd2f208baf9991
Opcode Fuzzy Hash: bce0490e767ffb178f10a4aee30807a42859e6a5e1b4a134db0eeb3828d6829c
Instruction Fuzzy Hash: D2815C71800268DEDB15EBA8CD52BDDB7B4FF55300F104199E14AB7292EB741F48CBA2

Function 00889E20 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 193COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,3FF913FA), ref: 0088A02D

Strings

<, xrefs: 00889F25
Command: , xrefs: 00889E96
Shell Execute Error. System error text = , xrefs: 0088A06B
Verb: , xrefs: 00889ED8
DupAPI::Launch, xrefs: 00889E64
Open file: , xrefs: 00889FAF

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: ErrorLast
String ID: Verb: $<$Command: $DupAPI::Launch$Open file: $Shell Execute Error. System error text =
API String ID: 1452528299-2372720724
Opcode ID: 5508f4212bc7fdf7da3ab1ac17361c1cf1c4e8265e85fba077852d03098c4239
Instruction ID: efe439a3b4c0382e98bbe40ca2db14ea54d61df2b6c45665713e9da3eb7b9bb0
Opcode Fuzzy Hash: 5508f4212bc7fdf7da3ab1ac17361c1cf1c4e8265e85fba077852d03098c4239
Instruction Fuzzy Hash: FC814B71800258DEDB15EB98DC55BEDB7B4FF55300F008199E15AA7281EB705F89CFA2

Function 00863640 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,DisableAutoplay,00000000,00000004,00ECD018,00000004), ref: 00863717
RegCloseKey.ADVAPI32(?), ref: 0086372A

Strings

SaveAutoPlay, xrefs: 0086367F
DisableAutoplay, xrefs: 0086370E
HKCU - Creating or opening registry for disabling Autorun failed, xrefs: 00863739

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: CloseQueryValue
String ID: DisableAutoplay$HKCU - Creating or opening registry for disabling Autorun failed$SaveAutoPlay
API String ID: 3356406503-1693785224
Opcode ID: d82ef134233e16631250dea96ff6250e7b62413081cf60a9f34db20ba2ab2564
Instruction ID: 7af3d62a421e8545d8d8dc903c149f6984cf2b9be8713fe1266f3a05264ed6c5
Opcode Fuzzy Hash: d82ef134233e16631250dea96ff6250e7b62413081cf60a9f34db20ba2ab2564
Instruction Fuzzy Hash: BB415E72900218AFDB14EB98DC42FEDB778FB44700F508269F516B7291DF752A49CBA2

Function 00863280 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,00DBD680,00000000,000F003F,?,?,00000000,DisableAutoPlay,3FF913FA), ref: 00863319
RegCloseKey.ADVAPI32(?), ref: 00863364

Strings

HKCU Disable Autoplay Failed, xrefs: 00863373
DisableAutoPlay, xrefs: 008632B9
DisableAutoplay, xrefs: 00863348

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: CloseOpen
String ID: DisableAutoPlay$DisableAutoplay$HKCU Disable Autoplay Failed
API String ID: 47109696-2539090149
Opcode ID: 9fe6dd861e56dbb16d3e1025a8aaa62210b9ce45786bb2fc38e49f33316f8175
Instruction ID: c1499d890236852e52f1407d8964a1819e8b1193924e752ac70b49b9a5947923
Opcode Fuzzy Hash: 9fe6dd861e56dbb16d3e1025a8aaa62210b9ce45786bb2fc38e49f33316f8175
Instruction Fuzzy Hash: 15417F72D00258AFDB14EB98DC46BEEB775FF44704F104229E512AB291DF756A08CB92

Function 008F2480 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 008F24A2
GetLastError.KERNEL32 ref: 008F24EA
LoadResource.KERNEL32(?,00000000), ref: 008F2508
SizeofResource.KERNEL32(?,00000000), ref: 008F2522
GetLastError.KERNEL32 ref: 008F253C

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: ErrorLastResource$HandleLoadModuleSizeof
String ID:
API String ID: 1646277414-0
Opcode ID: 338674bbe57fee062e7617f74253c536bbbbcc3f69caaac898c4c696175636d3
Instruction ID: f4d56d28a36c37485b0f0cfe7eda0c531af6e74d1fa4778b4ccb68db061a6a4a
Opcode Fuzzy Hash: 338674bbe57fee062e7617f74253c536bbbbcc3f69caaac898c4c696175636d3
Instruction Fuzzy Hash: AA310CB1D00218AFCB50EFACC846BAEBBB5FF48310F504599E919EB245E7745A408BD2

Function 008B6F00 Relevance: 6.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 008B6F8A
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 008B6FBD
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 008B6FEB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 008B7035

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 90209bb8eaaf7a97a098d563d7527c24b5e5ab1b4a376a775715a8de424a657e
Instruction ID: e9289f674d9e879055d0ef8c068777a89c56417185f5b51edfac58b8c58cf9f8
Opcode Fuzzy Hash: 90209bb8eaaf7a97a098d563d7527c24b5e5ab1b4a376a775715a8de424a657e
Instruction Fuzzy Hash: 2051ECB5D00218AFDB54EF98C882BAEB7B5FB88704F108159F515EB381D775AE408BD1

Function 008B4250 Relevance: 6.1, APIs: 4, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,3FF913FA), ref: 008B42CB
SysAllocStringLen.OLEAUT32(00000000,?), ref: 008B42F8
MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,00000000,?), ref: 008B4326
SysFreeString.OLEAUT32(00000000), ref: 008B4344

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: ByteCharMultiStringWide$AllocFree
String ID:
API String ID: 447844807-0
Opcode ID: ca81056457b9a33ef41b764ee0fff29abb123d5b40184f831156b8736eb8141c
Instruction ID: 093c190172576b022d48690104194f2d8d422d88bf8b8e0325f4b5411f74de7f
Opcode Fuzzy Hash: ca81056457b9a33ef41b764ee0fff29abb123d5b40184f831156b8736eb8141c
Instruction Fuzzy Hash: 37410772900218AFCB14EFA8D986FDEB7B5FB48720F108219F525AB390D7356D44CB91

Function 00871440 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000), ref: 00871510
LocalFree.KERNEL32(00000000), ref: 008715CA

Strings

wmiutils.dll, xrefs: 00871479

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: Free$LibraryLocal
String ID: wmiutils.dll
API String ID: 3007483513-1385082176
Opcode ID: a54192a5e262c2b680565a1491781e3c4af26dc68fddeab8798565415dc9f0b4
Instruction ID: cfbb19047097b71d3ec3c2ec35463952dd7f187bafdd2bd496e60d3e81969a4d
Opcode Fuzzy Hash: a54192a5e262c2b680565a1491781e3c4af26dc68fddeab8798565415dc9f0b4
Instruction Fuzzy Hash: 00518171D042489FCF14EFACD855BEDBBB4FF44304F248119E416AB286DB349949CB92

Function 00886560 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(00000000,00000000,?,00DC1BFC,3FF913FA), ref: 008866EA

Strings

DupAPI::CleanupPayloadFolder, xrefs: 008865A4
Empty Payload Extract path. Exiting, xrefs: 008865E8

Memory Dump Source

Source File: 00000000.00000002.2936357900.0000000000863000.00000020.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true

Associated: 00000000.00000002.2936325310.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000821000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000852000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000895000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.00000000008FC000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000B3E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000D6D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936357900.0000000000DB8000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000DBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937017795.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937179704.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937198074.0000000000ED0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000ED9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937218956.0000000000EDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937267653.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937290705.0000000000EE4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937313094.0000000000EE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937332451.0000000000EE7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001176000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2937355037.0000000001193000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_Dell-Pair-Application_9DY26_WIN_1.jbxd

Similarity

API ID: DirectoryRemove
String ID: DupAPI::CleanupPayloadFolder$Empty Payload Extract path. Exiting
API String ID: 597925465-655005624
Opcode ID: b811b08bdbd47bff1af112cce2e874031b3dd61771a6df7f4410d75a2e5ad98d
Instruction ID: 3d34621bb2387e39077cd706bd9e41a22f93cb5f5bda22b237b8bca472ca6606
Opcode Fuzzy Hash: b811b08bdbd47bff1af112cce2e874031b3dd61771a6df7f4410d75a2e5ad98d
Instruction Fuzzy Hash: 00516F71900268DEDB14EBA8C956BEDB775FF51304F1081ADE046A7292EF701F48CBA2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Dell\UpdatePackage\Log\Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.txt

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\104[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\info_normal[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\close_hover[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\script[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\close_normal[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\logo[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\styles[1]

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
Dell-Pair-Application_9DY26_WIN_1.2.4_A00-00.EXE

Function 00888820 Relevance: 30.4, APIs: 9, Strings: 8, Instructions: 689
fileCOMMON

Function 0089A7E0 Relevance: 32.1, APIs: 5, Strings: 13, Instructions: 639
COMMON

Function 008D07F0 Relevance: 23.3, APIs: 1, Strings: 12, Instructions: 563
COMMON

Function 0086AF30 Relevance: 5.1, APIs: 4, Instructions: 132
COMMON

Function 00887790 Relevance: 2.1, APIs: 1, Instructions: 577
COMMON

Function 0089DE10 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Function 0086A3B0 Relevance: 1.5, APIs: 1, Instructions: 38
COMMON