Create Interactive Tour

Windows Analysis Report notepad.exe

Overview

General Information

Sample Name:	notepad.exe
Analysis ID:	458596
MD5:	1c1760ed4d19cdbecb2398216922628b
SHA1:	66b6158b28cc2b970e454b6a8cf1824dd99e4029
SHA256:	d66458a3eb1b68715b552b3af32a9d2e889bbf8ac0c23c1afa8d0982023d1ce2
Infos:
Most interesting Screenshot:

Detection

Score:	8
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

Process Tree

System is w10x64

notepad.exe (PID: 4904 cmdline: 'C:\Users\user\Desktop\notepad.exe' MD5: 1C1760ED4D19CDBECB2398216922628B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

• Cryptography
• Compliance
• Spreading
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B9004FC GetFileAttributesW,DuplicateEncryptionInfoFile,PathFileExistsW,CreateFileW,GetLastError,SendMessageW,SendMessageW,SendMessageW,SendMessageW,LocalLock,WriteFile,GetACP,WideCharToMultiByte,WriteFile,WriteFile,WriteFile,WriteFile,SetEndOfFile,LocalUnlock,SendMessageW,CloseHandle,memset,#170,PathFindExtensionW,memset,CoTaskMemFree,memset,CoTaskMemFree,GetFileAttributesW,DecryptFileW,WindowsCreateStringReference,RoGetActivationFactory,CoTaskMemFree,SetCursor,SetCursor,CloseHandle,LocalUnlock,DeleteFileW,		0_2_00007FF72B9004FC
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B927038 DuplicateEncryptionInfoFile,		0_2_00007FF72B927038

Source: notepad.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: notepad.pdbGCTL source: notepad.exe
Source:	Binary string: notepad.pdb source: notepad.exe

Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B902CC8 CoTaskMemFree,CoTaskMemFree,PathIsFileSpecW,FindFirstFileW,FindClose,PathFindExtensionW,FindFirstFileW,FindClose,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,		0_2_00007FF72B902CC8
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FCBEC LocalFree,FindFirstFileW,FindClose,FormatMessageW,SetWindowTextW,LocalFree,LocalFree,_Init_thread_footer,FindFirstFileW,FindClose,CompareStringOrdinal,FormatMessageW,SetWindowTextW,CoTaskMemFree,CoTaskMemFree,		0_2_00007FF72B8FCBEC

Source: C:\Users\user\Desktop\notepad.exe

Code function: 0_2_00007FF72B8FD04C GetMenu,SendMessageW,GetSubMenu,EnableMenuItem,GetSubMenu,EnableMenuItem,GetSubMenu,EnableMenuItem,GetSubMenu,EnableMenuItem,OpenClipboard,IsClipboardFormatAvailable,CloseClipboard,GetSubMenu,EnableMenuItem,SendMessageW,GetSubMenu,EnableMenuItem,GetSubMenu,EnableMenuItem,GetSubMenu,EnableMenuItem,GetSubMenu,EnableMenuItem,SendMessageW,GetSubMenu,EnableMenuItem,GetSubMenu,CheckMenuItem,GetSubMenu,CheckMenuItem,

0_2_00007FF72B8FD04C

Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8F3E9C NtUpdateWnfStateData,GetModuleHandleW,GetProcAddress,		0_2_00007FF72B8F3E9C
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8F3DF4 NtQueryWnfStateData,GetModuleHandleW,GetProcAddress,		0_2_00007FF72B8F3DF4

Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FC0F8	0_2_00007FF72B8FC0F8
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8F7834	0_2_00007FF72B8F7834
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B903D8C	0_2_00007FF72B903D8C
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B90E4C8	0_2_00007FF72B90E4C8
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FC4BC	0_2_00007FF72B8FC4BC
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FE8EC	0_2_00007FF72B8FE8EC
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B9004FC	0_2_00007FF72B9004FC
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B911028	0_2_00007FF72B911028
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FEBA4	0_2_00007FF72B8FEBA4
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FDFCC	0_2_00007FF72B8FDFCC
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FE3E0	0_2_00007FF72B8FE3E0
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B90EB20	0_2_00007FF72B90EB20
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FC744	0_2_00007FF72B8FC744
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B90F364	0_2_00007FF72B90F364
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B900EA0	0_2_00007FF72B900EA0
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FE714	0_2_00007FF72B8FE714
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FEA48	0_2_00007FF72B8FEA48
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B902648	0_2_00007FF72B902648
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FDE70	0_2_00007FF72B8FDE70
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B910690	0_2_00007FF72B910690
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FE284	0_2_00007FF72B8FE284
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B903A80	0_2_00007FF72B903A80
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8F720C	0_2_00007FF72B8F720C
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FB600	0_2_00007FF72B8FB600
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FA52E	0_2_00007FF72B8FA52E
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FE128	0_2_00007FF72B8FE128
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FF520	0_2_00007FF72B8FF520
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B910D28	0_2_00007FF72B910D28
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FE53C	0_2_00007FF72B8FE53C
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8F7D38	0_2_00007FF72B8F7D38

Source: notepad.exe

Binary or memory string: OriginalFilename vs notepad.exe

Source: classification engine

Classification label: clean8.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\notepad.exe

Code function: 0_2_00007FF72B901B94 GetLastError,FormatMessageW,MessageBoxW,

0_2_00007FF72B901B94

Source: C:\Users\user\Desktop\notepad.exe

Code function: 0_2_00007FF72B9113E4 CreateDirectoryW,GetLastError,CreateFileW,CloseHandle,GetDiskFreeSpaceExW,SendMessageW,CoTaskMemFree,

0_2_00007FF72B9113E4

Source: C:\Users\user\Desktop\notepad.exe

Code function: 0_2_00007FF72B912434 CoCreateInstance,

0_2_00007FF72B912434

Source: notepad.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\notepad.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: notepad.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: notepad.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: notepad.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: notepad.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: notepad.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: notepad.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: notepad.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: notepad.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: notepad.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: notepad.pdbGCTL source: notepad.exe
Source:	Binary string: notepad.pdb source: notepad.exe

Source: notepad.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: notepad.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: notepad.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: notepad.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: notepad.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: notepad.exe

Static PE information: 0xF57E80D4 [Thu Jul 8 05:40:36 2100 UTC]

Source: notepad.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FB600 GetDlgCtrlID,memset,WindowsCreateStringReference,RoGetActivationFactory,MessageBeep,MessageBeep,DestroyWindow,DestroyWindow,DeleteObject,SendMessageW,IsIconic,SetFocus,IsIconic,GetForegroundWindow,GetForegroundWindow,DefWindowProcW,PostQuitMessage,SetCursor,SetCursor,SetCursor,SetCursor,GetKeyboardLayout,MessageBoxW,SetWindowPos,SendMessageW,GetDpiForWindow,MulDiv,CreateFontIndirectW,DeleteObject,SendMessageW,RedrawWindow,DefWindowProcW,EnableMenuItem,DefWindowProcW,		0_2_00007FF72B8FB600
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FB600 GetDlgCtrlID,memset,WindowsCreateStringReference,RoGetActivationFactory,MessageBeep,MessageBeep,DestroyWindow,DestroyWindow,DeleteObject,SendMessageW,IsIconic,SetFocus,IsIconic,GetForegroundWindow,GetForegroundWindow,DefWindowProcW,PostQuitMessage,SetCursor,SetCursor,SetCursor,SetCursor,GetKeyboardLayout,MessageBoxW,SetWindowPos,SendMessageW,GetDpiForWindow,MulDiv,CreateFontIndirectW,DeleteObject,SendMessageW,RedrawWindow,DefWindowProcW,EnableMenuItem,DefWindowProcW,		0_2_00007FF72B8FB600

Source: C:\Users\user\Desktop\notepad.exe

Code function: 0_2_00007FF72B903D8C rdtsc

0_2_00007FF72B903D8C

Source: C:\Users\user\Desktop\notepad.exe

API coverage: 2.8 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\notepad.exe

Code function: 0_2_00007FF72B903D8C GetKeyboardLayout followed by cmp: cmp ax, 0011h and CTI: jne 00007FF72B9047A9h country: Japanese (ja)

0_2_00007FF72B903D8C

Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B902CC8 CoTaskMemFree,CoTaskMemFree,PathIsFileSpecW,FindFirstFileW,FindClose,PathFindExtensionW,FindFirstFileW,FindClose,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,		0_2_00007FF72B902CC8
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B8FCBEC LocalFree,FindFirstFileW,FindClose,FormatMessageW,SetWindowTextW,LocalFree,LocalFree,_Init_thread_footer,FindFirstFileW,FindClose,CompareStringOrdinal,FormatMessageW,SetWindowTextW,CoTaskMemFree,CoTaskMemFree,		0_2_00007FF72B8FCBEC

Source: C:\Users\user\Desktop\notepad.exe

Code function: 0_2_00007FF72B903D8C rdtsc

0_2_00007FF72B903D8C

Source: C:\Users\user\Desktop\notepad.exe

Code function: 0_2_00007FF72B915510 DelayLoadFailureHook,LdrResolveDelayLoadedAPI,

0_2_00007FF72B915510

Source: C:\Users\user\Desktop\notepad.exe

Code function: 0_2_00007FF72B916500 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF72B916500

Source: C:\Users\user\Desktop\notepad.exe

Code function: 0_2_00007FF72B8F7834 GetCurrentProcessId,CreateMutexW,WaitForSingleObjectEx,GetProcessHeap,HeapAlloc,GetProcessHeap,GetProcessHeap,HeapFree,memset,InitializeCriticalSectionEx,

0_2_00007FF72B8F7834

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B915890 SetUnhandledExceptionFilter,_o__set_new_mode,	0_2_00007FF72B915890
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B916500 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF72B916500
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B9166F8 SetUnhandledExceptionFilter,	0_2_00007FF72B9166F8
Source: C:\Users\user\Desktop\notepad.exe	Code function: 0_2_00007FF72B915A88 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF72B915A88

Source: C:\Users\user\Desktop\notepad.exe	Code function: GetLocaleInfoW,	0_2_00007FF72B900114
Source: C:\Users\user\Desktop\notepad.exe	Code function: GetLocaleInfoW,	0_2_00007FF72B8F9058
Source: C:\Users\user\Desktop\notepad.exe	Code function: memset,GetLocalTime,GetLocaleInfoW,GetUserDefaultUILanguage,GetDateFormatW,GetTimeFormatW,SendMessageW,	0_2_00007FF72B900174

Source: C:\Users\user\Desktop\notepad.exe

Code function: 0_2_00007FF72B9163A4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF72B9163A4

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Virtualization/Sandbox Evasion1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Timestomp1	LSASS Memory	Security Software Discovery3	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery23	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
notepad.exe	0%	Virustotal	Browse
notepad.exe	0%	Metadefender	Browse
notepad.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458596
Start date:	03.08.2021
Start time:	15:14:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	notepad.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean8.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 95.2% (good quality ratio 44.1%) Quality average: 27.4% Quality standard deviation: 35%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.315472935153009
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	notepad.exe
File size:	211968
MD5:	1c1760ed4d19cdbecb2398216922628b
SHA1:	66b6158b28cc2b970e454b6a8cf1824dd99e4029
SHA256:	d66458a3eb1b68715b552b3af32a9d2e889bbf8ac0c23c1afa8d0982023d1ce2
SHA512:	f058eda0c65e59105a7c794721697782f1e1db759c69a11dab09ca454aa89767addcc8ecefa54995527bc2cae983e44c9ed42b0973fdb47435b31428150b96db
SSDEEP:	3072:8GvxiAKXWqZE56LtBDxrdPiG4jMSVwkf85NfCAt/k6nrZvkweTbFEIzFbk0:8QxKWqC65BlNiP7V7k5NqG/k4f+uubk
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T.P.:.P.:.P.:.Y...~.:.D.>.Z.:.D.9.S.:.D.;.Y.:.P.;.~.:.D.2.N.:.D.?.q.:.D...Q.:.D...Q.:.D.8.Q.:.RichP.:.................PE..d..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x140025a30
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0xF57E80D4 [Thu Jul 8 05:40:36 2100 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	670212bd5fae78855c331eddeffdd4eb

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FC5B4738750h
dec eax
add esp, 28h
jmp 00007FC5B4737C53h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [0000CA41h]
jne 00007FC5B4737DF5h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FC5B4737DE5h
ret
dec eax
ror ecx, 10h
jmp 00007FC5B4737E54h
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
call dword ptr [00002EC9h]
mov ecx, 00000001h
mov dword ptr [0000D79Eh], eax
call 00007FC5B473882Eh
xor ecx, ecx
call dword ptr [000033A9h]
dec eax
mov ecx, ebx
call dword ptr [000033A8h]
cmp dword ptr [0000D781h], 00000000h
jne 00007FC5B4737DECh
mov ecx, 00000001h
call 00007FC5B473880Ah
call dword ptr [00002EBFh]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [000033ABh]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f908	0x230	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0xbd8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x35000	0x1218	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x39000	0x2f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2ce00	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x28828	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x28710	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x28850	0x928	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2f220	0xe0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x26672	0x26800	False	0.510539265422	data	6.2703839023	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x28000	0x9b3c	0x9c00	False	0.519230769231	data	5.93009431776	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x32000	0x2808	0xe00	False	0.162388392857	data	1.83637350506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x35000	0x1218	0x1400	False	0.47734375	data	4.77725385253	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x37000	0x178	0x200	False	0.271484375	data	2.48605147045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0xbd8	0xc00	False	0.411783854167	data	4.60953946081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x39000	0x2f0	0x400	False	0.41796875	data	4.25362792783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
EDPENLIGHTENEDAPPINFOID	0x38710	0x2	data	English	United States
EDPPERMISSIVEAPPINFOID	0x38718	0x2	data	English	United States
MUI	0x38a98	0x140	data	English	United States
RT_VERSION	0x38720	0x374	data	English	United States
RT_MANIFEST	0x38260	0x4af	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, CreateMutexExW, AcquireSRWLockShared, DeleteCriticalSection, GetCurrentProcessId, GetProcessHeap, GetModuleHandleW, DebugBreak, IsDebuggerPresent, GlobalFree, GetLocaleInfoW, CreateFileW, ReadFile, MulDiv, GetCurrentProcess, GetCommandLineW, HeapSetInformation, FreeLibrary, LocalFree, LocalAlloc, FindFirstFileW, FindClose, CompareStringOrdinal, FoldStringW, InitOnceBeginInitialize, InitOnceComplete, GetModuleFileNameW, GetUserDefaultUILanguage, GetLocalTime, GetDateFormatW, GetTimeFormatW, WideCharToMultiByte, WriteFile, GetFileAttributesW, LocalLock, GetACP, LocalUnlock, DeleteFileW, SetEndOfFile, GetFileAttributesExW, GetFileInformationByHandle, CreateFileMappingW, MapViewOfFile, MultiByteToWideChar, LocalReAlloc, UnmapViewOfFile, GetFullPathNameW, LocalSize, GetStartupInfoW, lstrcmpiW, FindNLSString, GlobalLock, GlobalUnlock, GlobalAlloc, GetDiskFreeSpaceExW, CreateDirectoryW, RegisterApplicationRestart, CreateSemaphoreExW, CreateThreadpoolTimer, ReleaseSRWLockShared, SetThreadpoolTimer, CloseHandle, OpenSemaphoreW, WaitForSingleObjectEx, AcquireSRWLockExclusive, CloseThreadpoolTimer, OutputDebugStringW, ReleaseSRWLockExclusive, GetLastError, FormatMessageW, ReleaseMutex, GetCurrentThreadId, WaitForSingleObject, WaitForThreadpoolTimerCallbacks, InitializeCriticalSectionEx, LeaveCriticalSection, GetModuleHandleExW, ReleaseSemaphore, EnterCriticalSection, SetLastError, HeapAlloc, HeapFree, ResolveDelayLoadedAPI, DelayLoadFailureHook, GetModuleFileNameA
GDI32.dll	CreateDCW, StartPage, StartDocW, SetAbortProc, DeleteDC, EndDoc, AbortDoc, EndPage, GetTextMetricsW, SetBkMode, LPtoDP, SetWindowExtEx, SetViewportExtEx, SetMapMode, GetTextExtentPoint32W, TextOutW, EnumFontsW, GetTextFaceW, SelectObject, DeleteObject, CreateFontIndirectW, GetDeviceCaps
USER32.dll	PostMessageW, MessageBoxW, GetMenu, CheckMenuItem, GetSubMenu, EnableMenuItem, ShowWindow, GetDC, ReleaseDC, SetCursor, GetDpiForWindow, SetActiveWindow, LoadStringW, DefWindowProcW, IsIconic, SetFocus, PostQuitMessage, DestroyWindow, MessageBeep, GetForegroundWindow, GetDlgCtrlID, SetWindowPos, RedrawWindow, GetKeyboardLayout, CharNextW, SetWinEventHook, GetMessageW, TranslateAcceleratorW, IsDialogMessageW, TranslateMessage, DispatchMessageW, UnhookWinEvent, SetWindowTextW, OpenClipboard, IsClipboardFormatAvailable, CloseClipboard, SetDlgItemTextW, GetDlgItemTextW, EndDialog, SendDlgItemMessageW, SetScrollPos, InvalidateRect, UpdateWindow, GetWindowPlacement, SetWindowPlacement, CharUpperW, GetSystemMenu, LoadAcceleratorsW, SetWindowLongW, CreateWindowExW, MonitorFromWindow, RegisterWindowMessageW, LoadCursorW, RegisterClassExW, GetWindowTextLengthW, GetWindowLongW, PeekMessageW, GetWindowTextW, EnableWindow, CreateDialogParamW, DrawTextExW, LoadIconW, LoadImageW, DialogBoxParamW, SetThreadDpiAwarenessContext, SendMessageW, MoveWindow, GetClientRect, GetFocus
api-ms-win-crt-string-l1-1-0.dll	memset, wcsnlen, wcscmp
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, _register_thread_local_exe_atexit_callback, _initterm_e, _initterm
api-ms-win-crt-private-l1-1-0.dll	_o__callnewh, _o__cexit, _o__configthreadlocale, _o__configure_wide_argv, _o__crt_atexit, _o__errno, _o__exit, _o__get_wide_winmain_command_line, _o__initialize_onexit_table, _o__initialize_wide_environment, _o__invalid_parameter_noinfo, _o__purecall, _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, _o__wcsicmp, _o__wtol, _o_exit, _o_free, _o_iswdigit, _o_malloc, _o_terminate, _o_toupper, __std_terminate, __CxxFrameHandler3, _CxxThrowException, _o___std_exception_destroy, _o___std_exception_copy, __C_specific_handler, _o___stdio_common_vswprintf, memcmp, _o___p__commode, memcpy, memmove
api-ms-win-core-com-l1-1-0.dll	CoCreateFreeThreadedMarshaler, CoWaitForMultipleHandles, PropVariantClear, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoInitializeEx, CoCreateGuid, CoUninitialize
api-ms-win-core-shlwapi-legacy-l1-1-0.dll	PathFileExistsW, PathFindExtensionW, PathIsFileSpecW
api-ms-win-shcore-obsolete-l1-1-0.dll	SHStrDupW
api-ms-win-shcore-path-l1-1-0.dll
api-ms-win-shcore-scaling-l1-1-1.dll	GetDpiForMonitor
api-ms-win-core-rtlsupport-l1-1-0.dll	RtlVirtualUnwind, RtlCaptureContext, RtlLookupFunctionEntry
api-ms-win-core-errorhandling-l1-1-0.dll	RaiseException, SetUnhandledExceptionFilter, UnhandledExceptionFilter
api-ms-win-core-processthreads-l1-1-0.dll	TerminateProcess
api-ms-win-core-processthreads-l1-1-1.dll	GetProcessMitigationPolicy, IsProcessorFeaturePresent
api-ms-win-core-synch-l1-1-0.dll	InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, CreateEventExW, CreateEventW
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll	GetTickCount, GetSystemTimeAsFileTime
api-ms-win-core-interlocked-l1-1-0.dll	InitializeSListHead
api-ms-win-core-libraryloader-l1-2-0.dll	LoadLibraryExW
api-ms-win-core-winrt-string-l1-1-0.dll	WindowsDeleteString, WindowsCreateStringReference, WindowsGetStringRawBuffer, WindowsCreateString
api-ms-win-core-winrt-error-l1-1-0.dll	SetRestrictedErrorInfo
api-ms-win-core-winrt-l1-1-0.dll	RoInitialize, RoGetActivationFactory, RoUninitialize
api-ms-win-core-winrt-error-l1-1-1.dll	RoGetMatchingRestrictedErrorInfo
api-ms-win-eventing-provider-l1-1-0.dll	EventProviderEnabled
api-ms-win-core-synch-l1-2-0.dll	Sleep
COMCTL32.dll	CreateStatusWindowW

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	Notepad
FileVersion	10.0.19041.1081 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	10.0.19041.1081
FileDescription	Notepad
OriginalFilename	NOTEPAD.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• notepad.exe

Click to jump to process

Memory Usage

• notepad.exe

Click to jump to process

System Behavior

Analysis Process: notepad.exe PID: 4904 Parent PID: 5680

Function Logs

General

Start time:	15:19:37
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\notepad.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\notepad.exe'
Imagebase:	0x7ff72b8f0000
File size:	211968 bytes
MD5 hash:	1C1760ED4D19CDBECB2398216922628B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: notepad.exe PID: 4904 Parent PID: 5680 notepad.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	31.6%
Total number of Nodes:	718
Total number of Limit Nodes:	8

Executed Functions

Function 00007FF72B903D8C, Relevance: 775.1, APIs: 416, Strings: 21, Instructions: 10329windowregistrythreadCOMMON

Download Yara Rule

APIs

RegisterWindowMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B903DD2
RegisterWindowMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B903DF5
GetDC.USER32 ref: 00007FF72B903E11

Part of subcall function 00007FF72B902F84: LocalAlloc.KERNEL32 ref: 00007FF72B902FB3
Part of subcall function 00007FF72B902F84: LoadStringW.USER32 ref: 00007FF72B902FF2
Part of subcall function 00007FF72B902F84: LocalFree.KERNEL32 ref: 00007FF72B903015
Part of subcall function 00007FF72B902F84: LocalAlloc.KERNEL32 ref: 00007FF72B90303B

LoadCursorW.USER32 ref: 00007FF72B903E40
LoadCursorW.USER32 ref: 00007FF72B903E5A
LoadAcceleratorsW.USER32 ref: 00007FF72B903E77
LoadAcceleratorsW.USER32 ref: 00007FF72B903E94

Part of subcall function 00007FF72B90E3A0: LoadCursorW.USER32 ref: 00007FF72B90E3DF
Part of subcall function 00007FF72B90E3A0: LoadIconW.USER32 ref: 00007FF72B90E3FD
Part of subcall function 00007FF72B90E3A0: LoadImageW.USER32 ref: 00007FF72B90E442
Part of subcall function 00007FF72B90E3A0: RegisterClassExW.USER32 ref: 00007FF72B90E495

Part of subcall function 00007FF72B8F9058: GetLocaleInfoW.KERNEL32 ref: 00007FF72B8F9089

Part of subcall function 00007FF72B902648: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B902677
Part of subcall function 00007FF72B902648: RegOpenKeyExW.ADVAPI32 ref: 00007FF72B9026DC

Part of subcall function 00007FF72B911538: CoCreateGuid.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B91156C

Part of subcall function 00007FF72B8FFCB0: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FFCBC

CreateWindowExW.USER32 ref: 00007FF72B903FC4
GetWindowPlacement.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B904069
SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B9040DA
SetWindowPlacement.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B9040F3
SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B904102
GetClientRect.USER32 ref: 00007FF72B904138

Part of subcall function 00007FF72B911660: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,00000001,00007FF72B90369B), ref: 00007FF72B9116E3

CreateWindowExW.USER32 ref: 00007FF72B9041AC

Part of subcall function 00007FF72B9037E8: DestroyWindow.USER32(?,?,?,?,?,?,?,?,FFFFFFEC,00000000,?,00007FF72B90ED58), ref: 00007FF72B903810
Part of subcall function 00007FF72B9037E8: SendMessageW.USER32(?,?,?,?,?,?,?,?,FFFFFFEC,00000000,?,00007FF72B90ED58), ref: 00007FF72B903831
Part of subcall function 00007FF72B9037E8: SendMessageW.USER32 ref: 00007FF72B9038C9
Part of subcall function 00007FF72B9037E8: SendMessageW.USER32 ref: 00007FF72B9038F6
Part of subcall function 00007FF72B9037E8: SendMessageW.USER32 ref: 00007FF72B90397C

SendMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B9041DD
SendMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B9041FB
SendMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B90421D
CreateStatusWindowW.COMCTL32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B904253

Part of subcall function 00007FF72B903A30: DestroyWindow.USER32 ref: 00007FF72B903A51

Part of subcall function 00007FF72B8FC4BC: SendMessageW.USER32 ref: 00007FF72B8FC571
Part of subcall function 00007FF72B8FC4BC: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FC58C
Part of subcall function 00007FF72B8FC4BC: SendMessageW.USER32 ref: 00007FF72B8FC5E8
Part of subcall function 00007FF72B8FC4BC: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FC677

GetClientRect.USER32 ref: 00007FF72B904286

Part of subcall function 00007FF72B903A80: MonitorFromWindow.USER32 ref: 00007FF72B903ABB
Part of subcall function 00007FF72B903A80: GetDpiForMonitor.API-MS-WIN-SHCORE-SCALING-L1-1-1 ref: 00007FF72B903AD4
Part of subcall function 00007FF72B903A80: MulDiv.KERNEL32 ref: 00007FF72B903B5B
Part of subcall function 00007FF72B903A80: MulDiv.KERNEL32 ref: 00007FF72B903BD7

SendMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B9042B9
GetDpiForWindow.USER32 ref: 00007FF72B9042DA
MulDiv.KERNEL32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B9042F4
CreateFontIndirectW.GDI32 ref: 00007FF72B904312
SelectObject.GDI32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B90432B
GetTextFaceW.GDI32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B904347
SelectObject.GDI32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B904359
lstrcmpiW.KERNEL32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B904373
EnumFontsW.GDI32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B904397
DeleteObject.GDI32 ref: 00007FF72B9043AA
CreateFontIndirectW.GDI32 ref: 00007FF72B9043B9

Part of subcall function 00007FF72B902C54: CharUpperW.USER32 ref: 00007FF72B902C77
Part of subcall function 00007FF72B902C54: CharUpperW.USER32 ref: 00007FF72B902C8D

SendMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B9043E6
ReleaseDC.USER32 ref: 00007FF72B9043F7
SendMessageW.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B904415
ShowWindow.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B90444E
SetCursor.USER32(?,?,?,00000000,00000000,?,00000000,?,00007FF72B8FC29E), ref: 00007FF72B904461

Strings

Segoe UI Light, xrefs: 00007FF72B908BF7
NPCTXT, xrefs: 00007FF72B90420E
Edit, xrefs: 00007FF72B904153
z, xrefs: 00007FF72B90816C
Security-SPP-GenuineLocalStatus, xrefs: 00007FF72B905368, 00007FF72B9057D4, 00007FF72B90591B
z, xrefs: 00007FF72B9087C5
commdlg_FindReplace, xrefs: 00007FF72B903DC5
{, xrefs: 00007FF72B9086E3
NtQuerySystemInformation, xrefs: 00007FF72B906AE9, 00007FF72B90D38D
WinSta0, xrefs: 00007FF72B905054
commdlg_help, xrefs: 00007FF72B903DEE
MainAcc, xrefs: 00007FF72B903E83
ntdll.dll, xrefs: 00007FF72B906A73, 00007FF72B90D31E
Default, xrefs: 00007FF72B905070
{, xrefs: 00007FF72B90BF11
3, xrefs: 00007FF72B904611
{, xrefs: 00007FF72B90808C
GlobalAcc, xrefs: 00007FF72B903E66
Notepad, xrefs: 00007FF72B903F83
z, xrefs: 00007FF72B90BFE5
, xrefs: 00007FF72B90B76E

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Message$SendWindow$Load$Create$Cursor$FreeLocalObjectRegistermemset$AcceleratorsAllocAwarenessCharClientContextDestroyFontIndirectMonitorPlacementRectSelectTaskThreadUpper$ClassDeleteEnumFaceFontsFromGuidIconImageInfoLocaleOpenReleaseShowStatusStringTextlstrcmpi
String ID: $3$Default$Edit$GlobalAcc$MainAcc$NPCTXT$Notepad$NtQuerySystemInformation$Security-SPP-GenuineLocalStatus$Segoe UI Light$WinSta0$commdlg_FindReplace$commdlg_help$ntdll.dll$z$z$z${${${
API String ID: 2606882876-378693033
Opcode ID: 774b86368fcfd5e259140c1396230457c64330d3984e115934ba3f3a6fb7ffd9
Instruction ID: f6fd4068fd0d50b38fcc325830c767f5921d6d10d36e8284a5b20a3e7bf31559
Opcode Fuzzy Hash: 774b86368fcfd5e259140c1396230457c64330d3984e115934ba3f3a6fb7ffd9
Instruction Fuzzy Hash: 8024E332A18682CAE724DF39DD442B9BBA1FB89744F859535CA8E87764DF3CE540CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FC0F8, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 224
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 00007FF72B8FC1B9
CoCreateGuid.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FC1CF
HeapSetInformation.KERNEL32 ref: 00007FF72B8FC1FD
CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FC20E
CharNextW.USER32 ref: 00007FF72B8FC264
GetCurrentProcessId.KERNEL32 ref: 00007FF72B8FC2B2
SetWinEventHook.USER32 ref: 00007FF72B8FC2DD
PostMessageW.USER32 ref: 00007FF72B8FC309
TranslateAcceleratorW.USER32 ref: 00007FF72B8FC327
IsDialogMessageW.USER32 ref: 00007FF72B8FC347
TranslateAcceleratorW.USER32 ref: 00007FF72B8FC369
TranslateMessage.USER32 ref: 00007FF72B8FC37D
DispatchMessageW.USER32 ref: 00007FF72B8FC38D
GetMessageW.USER32 ref: 00007FF72B8FC3A5
UnhookWinEvent.USER32 ref: 00007FF72B8FC412
FreeLibrary.KERNEL32 ref: 00007FF72B8FC456
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FC462
EtwEventUnregister.NTDLL ref: 00007FF72B8FC483

Strings

, xrefs: 00007FF72B8FC27B

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Message$EventTranslate$Accelerator$CharCommandCreateCurrentDialogDispatchFreeGuidHeapHookInformationInitializeLibraryLineNextPostProcessUnhookUninitializeUnregister
String ID:
API String ID: 3896377122-3916222277
Opcode ID: b800bbb01b60699f523c104b0402643c193bf7154c30916286245b2a7f63fdbc
Instruction ID: 2fd41ec456545303b524ce4b1887ba3d96612ab6b273ce091b9cb441acf6cb9a
Opcode Fuzzy Hash: b800bbb01b60699f523c104b0402643c193bf7154c30916286245b2a7f63fdbc
Instruction Fuzzy Hash: 61B15F21E19642CAEB10AF29EC40278BBA0FB99B84BC59131DA4D43774DF3CE555DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F7834, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 210
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF72B8F7870

Part of subcall function 00007FF72B8F21F0: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF72B8F2230

CreateMutexW.KERNELBASE ref: 00007FF72B8F78B2
WaitForSingleObjectEx.KERNEL32 ref: 00007FF72B8F78E0

Part of subcall function 00007FF72B8F288C: GetLastError.KERNEL32 ref: 00007FF72B8F2890

Strings

onecore\internal\sdk\inc\wil\opensource\wil\resource.h, xrefs: 00007FF72B8F7B54
wil, xrefs: 00007FF72B8F7927
Local\SM0:%d:%d:%hs, xrefs: 00007FF72B8F7881

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CreateCurrentErrorLastMutexObjectProcessSingleWait_vsnwprintf
String ID: Local\SM0:%d:%d:%hs$onecore\internal\sdk\inc\wil\opensource\wil\resource.h$wil
API String ID: 3333087404-847674279
Opcode ID: 290427eb6a8cfaae9462c989ded2c180355f76e308b537b2daba1739bbdf1464
Instruction ID: e168b2621ea31838e93e39459c95464d9667cf0b7ad2ae9cb569752cb63f1ba6
Opcode Fuzzy Hash: 290427eb6a8cfaae9462c989ded2c180355f76e308b537b2daba1739bbdf1464
Instruction Fuzzy Hash: 2C919136618B4286F760AF29EC402B9E761EB99B90FC09131DE8E47B65DF3CF1518B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B915510, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrResolveDelayLoadedAPI.NTDLL ref: 00007FF72B91553B

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: DelayLoadedResolve
String ID:
API String ID: 841769287-0
Opcode ID: dea47fbc23d7e09865cf3b99bb5978a4bf16469b3637a03c9014ba8686a2ba8a
Instruction ID: 74db4b30fb7ef995cdd51dcc1ce411bad5b3b3c3d564711493825bc351d5c7f9
Opcode Fuzzy Hash: dea47fbc23d7e09865cf3b99bb5978a4bf16469b3637a03c9014ba8686a2ba8a
Instruction Fuzzy Hash: 69E0B6B8918A42CAE610AB18EC40064BBA0FB99784FC05172D98D57334CB3CA115EF24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B915890, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF72B915899

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6496e19406f577a6234f9bd5db48dbed12d8b8de2af6806225c28b51bb82dcee
Instruction ID: d3afe576eb9dd5ece4822e0966359f352c42a0be472989de68cfaceda1a46863
Opcode Fuzzy Hash: 6496e19406f577a6234f9bd5db48dbed12d8b8de2af6806225c28b51bb82dcee
Instruction Fuzzy Hash: 79C04800E2E642C9E90837AD0C520B891A1CFC6300F90A075D58D052A2CC2C21D6BE32

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B916040, Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 112
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF72B916065
GetModuleHandleW.KERNELBASE ref: 00007FF72B916073
GetModuleHandleW.KERNEL32 ref: 00007FF72B916089
GetProcAddress.KERNEL32 ref: 00007FF72B9160A6
GetProcAddress.KERNEL32 ref: 00007FF72B9160BA
GetProcAddress.KERNEL32 ref: 00007FF72B9160CE
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF72B916167

Part of subcall function 00007FF72B916500: IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FF72B91651C
Part of subcall function 00007FF72B916500: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B916540
Part of subcall function 00007FF72B916500: RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF72B916549
Part of subcall function 00007FF72B916500: RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF72B916563
Part of subcall function 00007FF72B916500: RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF72B9165A4
Part of subcall function 00007FF72B916500: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B9165D7
Part of subcall function 00007FF72B916500: IsDebuggerPresent.KERNEL32 ref: 00007FF72B9165F8
Part of subcall function 00007FF72B916500: SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF72B916619
Part of subcall function 00007FF72B916500: UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF72B916624

DeleteCriticalSection.KERNEL32 ref: 00007FF72B9161AB
CloseHandle.KERNEL32 ref: 00007FF72B9161BD

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF72B91606C
WakeAllConditionVariable, xrefs: 00007FF72B9160C4
kernel32.dll, xrefs: 00007FF72B916082
InitializeConditionVariable, xrefs: 00007FF72B91609C
SleepConditionVariableCS, xrefs: 00007FF72B9160B0

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AddressHandleProc$CriticalExceptionFilterModulePresentSectionUnhandledmemset$CaptureCloseContextCountCreateDebuggerDeleteEntryEventFeatureFunctionInitializeLookupProcessorSpinUnwindVirtual
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2631387040-1714406822
Opcode ID: db24618b5eb622cb5cbbe5ed6acf9d879f6c38c64999a3de1d0b09191ce256e2
Instruction ID: 3af49ee5e23166bf2815f2b988506c30d04d8607b438de2b59058b9003a4200c
Opcode Fuzzy Hash: db24618b5eb622cb5cbbe5ed6acf9d879f6c38c64999a3de1d0b09191ce256e2
Instruction Fuzzy Hash: D1414120E29B02CEFA14BB28EC50275A261EF86750FC46535C98E577B5DF3CE445EA20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B914D80, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF72B914DAE
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B914DDB
RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF72B914DFA
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF72B914E2E
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B914EB8
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B914EFB
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B914F73

Strings

Files/Resources/notepad.exe.mui, xrefs: 00007FF72B914EB1
Windows.ApplicationModel.Resources.Core.ResourceManager, xrefs: 00007FF72B914DD4

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: StringWindows$CreateDeleteReference$ActivationExceptionFactoryInitializeRaise
String ID: Files/Resources/notepad.exe.mui$Windows.ApplicationModel.Resources.Core.ResourceManager
API String ID: 2941117075-1600936776
Opcode ID: cd55610a5b8c9c32416645b74090953f83fd87d13f39ecf97c98aacf6dd4e747
Instruction ID: 53ea84de1ab9bf003bfeb82b138e8f77e44367768c93b7df71dc29153627fce6
Opcode Fuzzy Hash: cd55610a5b8c9c32416645b74090953f83fd87d13f39ecf97c98aacf6dd4e747
Instruction Fuzzy Hash: E5811A36B24B06CAEB009B69D8943ACBB71FB89B84F946135CE4D57B64CF38E405DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9158B0, Relevance: 13.6, APIs: 9, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF72B9158BF
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF72B9158D4
__scrt_release_startup_lock.LIBCMT ref: 00007FF72B915942
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF72B915990
__scrt_get_show_window_mode.LIBCMT ref: 00007FF72B915995
_o__get_wide_winmain_command_line.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF72B91599D
__scrt_is_managed_app.LIBCMT ref: 00007FF72B9159B8
_o__cexit.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF72B9159C6
_o__exit.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF72B915A1B

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_o__cexit_o__exit_o__get_wide_winmain_command_line_register_thread_local_exe_atexit_callback
String ID:
API String ID: 105026157-0
Opcode ID: 72c483cfc1c096ab9830138a3106d75845afd1e486bdeba52df02be1278e808c
Instruction ID: 33ae72caf597d7f10dbf674afe4c2a5d612c9957922757f4590881d1cbd83b6e
Opcode Fuzzy Hash: 72c483cfc1c096ab9830138a3106d75845afd1e486bdeba52df02be1278e808c
Instruction Fuzzy Hash: 7131F921E2D102CEFA10BB2D9C552B99251DFD2784FC66035DACD0B2B7DE2CA445AA61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B902F84, Relevance: 10.6, APIs: 7, Instructions: 115
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32 ref: 00007FF72B902FB3
LoadStringW.USER32 ref: 00007FF72B902FF2
LocalFree.KERNEL32 ref: 00007FF72B903015
LocalAlloc.KERNEL32 ref: 00007FF72B90303B

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Local$Alloc$FreeLoadString
String ID:
API String ID: 4206045929-0
Opcode ID: 97f7486c3501b8cc1143ae574958acde57fbf968e833dd4a2580ab6d71a25fcd
Instruction ID: 187e9f18260b0ac82c12d9d797a22f90e929c22ac2eff5f476efd9bbb62a83fd
Opcode Fuzzy Hash: 97f7486c3501b8cc1143ae574958acde57fbf968e833dd4a2580ab6d71a25fcd
Instruction Fuzzy Hash: 2C418F72B1AA42C6EA00AF09AC80179F7A1FB89B81F859435CE8E57365DF3CE4459B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F8504, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSemaphoreW.KERNEL32 ref: 00007FF72B8F8573
GetLastError.KERNEL32 ref: 00007FF72B8F858E

Strings

_p0, xrefs: 00007FF72B8F8554
wil, xrefs: 00007FF72B8F857F

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ErrorLastOpenSemaphore
String ID: _p0$wil
API String ID: 1909229842-1814513734
Opcode ID: 26c08b54c2093927baddb9c2af52bd5568567a045a00b3fd2cca473bb1e19bba
Instruction ID: 79f7f7dcc83038416d0eb921ee04013af72558917f18976bb7f67740ef1c0d25
Opcode Fuzzy Hash: 26c08b54c2093927baddb9c2af52bd5568567a045a00b3fd2cca473bb1e19bba
Instruction Fuzzy Hash: FE51E562B18A82C6E720EB69EC102F9A790EFD8784FD04031EE4D57765DE3CF5118B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F3040, Relevance: 7.6, APIs: 5, Instructions: 51
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReleaseMutex.KERNEL32 ref: 00007FF72B8F3044
GetLastError.KERNEL32 ref: 00007FF72B8F308A
SetLastError.KERNEL32 ref: 00007FF72B8F30A2
GetLastError.KERNEL32 ref: 00007FF72B8F30BB
SetLastError.KERNEL32 ref: 00007FF72B8F30D3

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ErrorLast$MutexRelease
String ID:
API String ID: 3084565237-0
Opcode ID: e3b2b4a5d6a66c0ded5001229e633d129643ff1bfdc93c4895d25cc6b2450fdd
Instruction ID: e901625ea8de1f3f2c78d1c056b84aa885bfb4ac24370acdcc9b31c76da75bcc
Opcode Fuzzy Hash: e3b2b4a5d6a66c0ded5001229e633d129643ff1bfdc93c4895d25cc6b2450fdd
Instruction Fuzzy Hash: 3D115E21A14A81C7E7046B25E890339FA60FFC8B41F84D531DA4E07B65CF3CE4659B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FF7CC, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8FF978
GetProcAddress.KERNEL32 ref: 00007FF72B8FF995

Strings

RtlNotifyFeatureUsage, xrefs: 00007FF72B8FF98B
ntdll.dll, xrefs: 00007FF72B8FF971

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlNotifyFeatureUsage$ntdll.dll
API String ID: 1646373207-2443152447
Opcode ID: d1984b1c00aae644ad81749d54549d1c06019f33a98c95438caf1dfde6a990bb
Instruction ID: 62107938f88906839dd508e4e9a3a4f0a4fa899e543ab4c84493cfc0eaf31f8a
Opcode Fuzzy Hash: d1984b1c00aae644ad81749d54549d1c06019f33a98c95438caf1dfde6a990bb
Instruction Fuzzy Hash: DF61B432F69B029AE714AF7DEC90378A2A1EB98744FC84235DD4D427E4DF3CE5148A50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F6644, Relevance: 6.1, APIs: 4, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B8F68A0: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF72B8F63E6), ref: 00007FF72B8F68FF
Part of subcall function 00007FF72B8F68A0: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF72B8F63E6), ref: 00007FF72B8F6923

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF72B8F6686
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF72B8F66AC
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF72B8F66D4
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF72B8F6710

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 8b647db60dac75cfd403542d384b0e68e8a92977ec1f143e5187edb16381739f
Instruction ID: 20d851477c12757454e3e494fc92a422c0982757aadca314d15ed4738a9254ec
Opcode Fuzzy Hash: 8b647db60dac75cfd403542d384b0e68e8a92977ec1f143e5187edb16381739f
Instruction Fuzzy Hash: B1215E62A08A42CAEB10AF55E8503B9BBA0FB59F84FC88131DE4D07765CF3CE455CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F7610, Relevance: 3.1, APIs: 2, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF72B8F76BB
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF72B8F7710

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: d54f3a392ea67de80d392a230dd5e4456882794b2eae396b8f271d6692ec93a9
Instruction ID: 7a567634f03afae8ca194eb98ab842eb098f6881b0ad899356b1b848b3d8bc36
Opcode Fuzzy Hash: d54f3a392ea67de80d392a230dd5e4456882794b2eae396b8f271d6692ec93a9
Instruction Fuzzy Hash: AD412434E18646CAFA55AB1DEC80B34A7A1EBA4B50FC98134C98C027B0DF2CB851DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9157C0, Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF72B915E04: _o__initialize_onexit_table.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00007FF72B9157F4), ref: 00007FF72B915E46

_RTC_Initialize.LIBCMT ref: 00007FF72B9157F8

Part of subcall function 00007FF72B916010: _onexit.LIBCMT ref: 00007FF72B916014

__scrt_initialize_default_local_stdio_options.LIBCMT ref: 00007FF72B915874

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Initialize__scrt_initialize_default_local_stdio_options_o__initialize_onexit_table_onexit
String ID:
API String ID: 3742801250-0
Opcode ID: eea0f9de1afa3335b8963e05af4259884430d092420fba63b39cd08fe8e2f225
Instruction ID: d56707a1d06a8f9db37d2906767221a3587e164cb6568ea429e67d5399ccf9c0
Opcode Fuzzy Hash: eea0f9de1afa3335b8963e05af4259884430d092420fba63b39cd08fe8e2f225
Instruction Fuzzy Hash: 26015840E39202CEFA447BB95C462B88151CFD5718FC16478EACE662E3ED1CB844AE32

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F68A0, Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF72B8F63E6), ref: 00007FF72B8F68FF
ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF72B8F63E6), ref: 00007FF72B8F6923

Part of subcall function 00007FF72B8F7834: GetCurrentProcessId.KERNEL32 ref: 00007FF72B8F7870
Part of subcall function 00007FF72B8F7834: CreateMutexW.KERNELBASE ref: 00007FF72B8F78B2

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireCreateCurrentMutexProcessRelease
String ID:
API String ID: 4097130892-0
Opcode ID: f18b58fc62a8f7518ff145c5c761b010ac2e9fa8643cba8d6b4d1f143474ccd1
Instruction ID: ea6a328ba1df25a48f8d5307eeb40c79a3032faf5b6b5e2f41888a952e7b1e56
Opcode Fuzzy Hash: f18b58fc62a8f7518ff145c5c761b010ac2e9fa8643cba8d6b4d1f143474ccd1
Instruction Fuzzy Hash: D711BF32B15B4682EF049F29D840628B3A4FB68F88F944235CE5D03728DF38E962C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F1430, Relevance: 3.0, APIs: 2, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EtwEventRegister.NTDLL ref: 00007FF72B8F147C
EtwEventSetInformation.NTDLL ref: 00007FF72B8F14AF

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Event$InformationRegister
String ID:
API String ID: 1404366003-0
Opcode ID: c7831c6368fec970d16237d1c93c892c7a8b2c4833683e32f9adbd3868a9ee2a
Instruction ID: 8e42c67ce2c66d18d4008d1088ffcd4bd587567589c790dd747d6ea141a21a58
Opcode Fuzzy Hash: c7831c6368fec970d16237d1c93c892c7a8b2c4833683e32f9adbd3868a9ee2a
Instruction Fuzzy Hash: 4A118C72A08B85C6E7109B19E880379B7A0FB8CB94F904221EA8D47B25DF3CD555CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F8968, Relevance: 3.0, APIs: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF72B8F8987

Part of subcall function 00007FF72B916010: _onexit.LIBCMT ref: 00007FF72B916014

Part of subcall function 00007FF72B8F1430: EtwEventRegister.NTDLL ref: 00007FF72B8F147C

InitOnceComplete.KERNEL32 ref: 00007FF72B8F8A22

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: InitOnce$BeginCompleteEventInitializeRegister_onexit
String ID:
API String ID: 1756061407-0
Opcode ID: 668d2436a52a317d6359af763c303365b32208c304d8823daee0594d8a8616a4
Instruction ID: a8bf051420d10e672831665187f38d933efaf71b65895017b787e741108ca4c2
Opcode Fuzzy Hash: 668d2436a52a317d6359af763c303365b32208c304d8823daee0594d8a8616a4
Instruction Fuzzy Hash: 1F11D625D28A86C6EB10AF19ED846A5B7A0FB95744FCA5131D68E03771CF3CE098DF60

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF72B90F364, Relevance: 109.0, APIs: 61, Strings: 1, Instructions: 525timewindowCOMMON

Download Yara Rule

APIs

SetCursor.USER32 ref: 00007FF72B90F3C3
GetDeviceCaps.GDI32 ref: 00007FF72B90F3D6
GetDeviceCaps.GDI32 ref: 00007FF72B90F3EF
GetDeviceCaps.GDI32 ref: 00007FF72B90F408
GetDeviceCaps.GDI32 ref: 00007FF72B90F421
GetDeviceCaps.GDI32 ref: 00007FF72B90F43A
GetDeviceCaps.GDI32 ref: 00007FF72B90F453
GetDeviceCaps.GDI32 ref: 00007FF72B90F46C
GetLocalTime.KERNEL32 ref: 00007FF72B90F485
GetDateFormatW.KERNEL32 ref: 00007FF72B90F4BD
GetTimeFormatW.KERNEL32 ref: 00007FF72B90F4E8
SetMapMode.GDI32 ref: 00007FF72B90F56F
SetViewportExtEx.GDI32 ref: 00007FF72B90F58E
SetWindowExtEx.GDI32 ref: 00007FF72B90F5AD
LPtoDP.GDI32 ref: 00007FF72B90F5D6
SetMapMode.GDI32 ref: 00007FF72B90F5E8
CreateFontIndirectW.GDI32 ref: 00007FF72B90F5F8
SelectObject.GDI32 ref: 00007FF72B90F616
SetBkMode.GDI32 ref: 00007FF72B90F634
GetTextMetricsW.GDI32 ref: 00007FF72B90F647
SelectObject.GDI32 ref: 00007FF72B90F66B
DeleteObject.GDI32 ref: 00007FF72B90F67A
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B90F690
CreateFontIndirectW.GDI32 ref: 00007FF72B90F699
SelectObject.GDI32 ref: 00007FF72B90F6B7
GetTextMetricsW.GDI32 ref: 00007FF72B90F6D6
SetAbortProc.GDI32 ref: 00007FF72B90F7B7
SendMessageW.USER32 ref: 00007FF72B90F7DF
LocalLock.KERNEL32 ref: 00007FF72B90F7FE
GetWindowTextLengthW.USER32 ref: 00007FF72B90F81D
GetWindowTextW.USER32 ref: 00007FF72B90F84D
EnableWindow.USER32 ref: 00007FF72B90F869
CreateDialogParamW.USER32 ref: 00007FF72B90F894
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B90F8B4
SetLastError.KERNEL32 ref: 00007FF72B90F8E6
StartDocW.GDI32 ref: 00007FF72B90F8FA
GetLastError.KERNEL32 ref: 00007FF72B90F90E
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B90F924
SelectObject.GDI32 ref: 00007FF72B90F940
DeleteObject.GDI32 ref: 00007FF72B90F94F
LocalUnlock.KERNEL32 ref: 00007FF72B90F966
EndPage.GDI32 ref: 00007FF72B90F97A
GetLastError.KERNEL32 ref: 00007FF72B90F98E
AbortDoc.GDI32 ref: 00007FF72B90F9B7
wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B90FA31
GetWindowLongW.USER32 ref: 00007FF72B90FA4C
SetDlgItemTextW.USER32 ref: 00007FF72B90FAA4
StartPage.GDI32 ref: 00007FF72B90FAD8
DrawTextExW.USER32 ref: 00007FF72B90FB21
EndPage.GDI32 ref: 00007FF72B90FB3B
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B90FB89
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B90FBA5
MessageBoxW.USER32 ref: 00007FF72B90FBD1
SetLastError.KERNEL32 ref: 00007FF72B90FBDF
GetLastError.KERNEL32 ref: 00007FF72B90FBF0
EndDoc.GDI32 ref: 00007FF72B90FC06
GetLastError.KERNEL32 ref: 00007FF72B90FC1A
DeleteDC.GDI32 ref: 00007FF72B90FC2B
EnableWindow.USER32 ref: 00007FF72B90FC43
DestroyWindow.USER32 ref: 00007FF72B90FC56
SetCursor.USER32 ref: 00007FF72B90FC70

Strings

(, xrefs: 00007FF72B90F8CD

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CapsDeviceWindow$ErrorLastObjectText$FreeSelectTask$CreateDeleteLocalModePage$AbortCursorEnableFontFormatIndirectMessageMetricsStartTime$DateDestroyDialogDrawItemLengthLockLongParamProcSendUnlockViewportmemsetwcsnlen
String ID: (
API String ID: 2953118813-3887548279
Opcode ID: 01741eaae34a4d570697a323405932bfea6b34618ae6d7bfef3bfc6a54f2ade7
Instruction ID: b80f7e7461cf897bad74fefe69dac5d063e009ef5e2051991805439550394359
Opcode Fuzzy Hash: 01741eaae34a4d570697a323405932bfea6b34618ae6d7bfef3bfc6a54f2ade7
Instruction Fuzzy Hash: 55424D31E18A42CBE704AF29EC54279FBA5FB99B45B869134C98E43730DF3CA5459F20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B902648, Relevance: 77.3, APIs: 5, Strings: 39, Instructions: 304registryCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B902677
RegOpenKeyExW.ADVAPI32 ref: 00007FF72B9026DC

Part of subcall function 00007FF72B90205C: RegQueryValueExW.ADVAPI32 ref: 00007FF72B902098

RegCloseKey.ADVAPI32 ref: 00007FF72B90288C
RegOpenKeyExW.ADVAPI32 ref: 00007FF72B90283D

Part of subcall function 00007FF72B9021A0: RegQueryValueExW.ADVAPI32 ref: 00007FF72B9021E8
Part of subcall function 00007FF72B9021A0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF72B9028BC), ref: 00007FF72B90220B

RegCloseKey.ADVAPI32 ref: 00007FF72B902C1D

Strings

replaceString, xrefs: 00007FF72B902AC5
fWrapAround, xrefs: 00007FF72B902A56
Lucida Console, xrefs: 00007FF72B902856
iMarginBottom, xrefs: 00007FF72B902B33
lfEscapement, xrefs: 00007FF72B9026ED
lfOutPrecision, xrefs: 00007FF72B9027B3
iPointSize, xrefs: 00007FF72B902876, 00007FF72B9028C1
lfPitchAndFamily, xrefs: 00007FF72B90280A
, xrefs: 00007FF72B9028A8
iWindowPosX, xrefs: 00007FF72B902BAA
StatusBar, xrefs: 00007FF72B9029E9
lfItalic, xrefs: 00007FF72B90274B
lfWeight, xrefs: 00007FF72B90272F
szHeader, xrefs: 00007FF72B902AE2
fMLE_is_broken, xrefs: 00007FF72B902BF8
Software\Microsoft\Notepad, xrefs: 00007FF72B902682
szTrailer, xrefs: 00007FF72B902B08
lfOrientation, xrefs: 00007FF72B902714
searchString, xrefs: 00007FF72B902A93
iMarginRight, xrefs: 00007FF72B902B6F
lfFaceName, xrefs: 00007FF72B902865, 00007FF72B9028B0
iMarginLeft, xrefs: 00007FF72B902B51
fWrap, xrefs: 00007FF72B9028D5
iWindowPosDY, xrefs: 00007FF72B902BDE
fReverse, xrefs: 00007FF72B902A3F
lfStrikeOut, xrefs: 00007FF72B90277F
fPasteOriginalEOL, xrefs: 00007FF72B902A28
iWindowPosDX, xrefs: 00007FF72B902BC4
iMarginTop, xrefs: 00007FF72B902B1B
lfQuality, xrefs: 00007FF72B9027E7
lfClipPrecision, xrefs: 00007FF72B9027CD
iDefaultEncoding, xrefs: 00007FF72B902968
fWindowsOnlyEOL, xrefs: 00007FF72B902A17
lfCharSet, xrefs: 00007FF72B902799
fSaveWindowPositions, xrefs: 00007FF72B9029FD
lfUnderline, xrefs: 00007FF72B902765
iWindowPosY, xrefs: 00007FF72B902B8B
Software\Microsoft\Notepad\DefaultFonts, xrefs: 00007FF72B90281C
fMatchCase, xrefs: 00007FF72B902A70

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CloseOpenQueryValue$memcpymemset
String ID: $Lucida Console$Software\Microsoft\Notepad$Software\Microsoft\Notepad\DefaultFonts$StatusBar$fMLE_is_broken$fMatchCase$fPasteOriginalEOL$fReverse$fSaveWindowPositions$fWindowsOnlyEOL$fWrap$fWrapAround$iDefaultEncoding$iMarginBottom$iMarginLeft$iMarginRight$iMarginTop$iPointSize$iWindowPosDX$iWindowPosDY$iWindowPosX$iWindowPosY$lfCharSet$lfClipPrecision$lfEscapement$lfFaceName$lfItalic$lfOrientation$lfOutPrecision$lfPitchAndFamily$lfQuality$lfStrikeOut$lfUnderline$lfWeight$replaceString$searchString$szHeader$szTrailer
API String ID: 216777390-570872617
Opcode ID: 6a86fa5fa1baeaebbfb1bcba359283258950a533cea8b834b6780ea7404fc18e
Instruction ID: f6c94d9270986df6c40aa4444c52e812a5509c9e24da5f7a8047af3ac836093f
Opcode Fuzzy Hash: 6a86fa5fa1baeaebbfb1bcba359283258950a533cea8b834b6780ea7404fc18e
Instruction Fuzzy Hash: 98F12962A18792CAEB00EF29EC416A9B760FB86744FC05436EADC47635DE3DE505CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B900EA0, Relevance: 72.4, APIs: 40, Strings: 1, Instructions: 602filewindowmemoryCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B900F3D
#170.API-MS-WIN-SHCORE-PATH-L1-1-0 ref: 00007FF72B900F45
PathFindExtensionW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF72B900F5B
GetFileInformationByHandle.KERNEL32 ref: 00007FF72B900F88

Part of subcall function 00007FF72B900DC8: PathFindExtensionW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF72B900DDE
Part of subcall function 00007FF72B900DC8: _o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF72B900DFD
Part of subcall function 00007FF72B900DC8: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B900E59

SetCursor.USER32 ref: 00007FF72B900FE4

Part of subcall function 00007FF72B901C70: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B901CCD
Part of subcall function 00007FF72B901C70: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B901E91

CreateFileMappingW.KERNEL32 ref: 00007FF72B90102A
MapViewOfFile.KERNEL32 ref: 00007FF72B901056
CloseHandle.KERNEL32 ref: 00007FF72B901075
CloseHandle.KERNEL32 ref: 00007FF72B9010A1
SetCursor.USER32 ref: 00007FF72B9010C1
IsTextUnicode.ADVAPI32 ref: 00007FF72B901160
MultiByteToWideChar.KERNEL32 ref: 00007FF72B9011CF
GetLastError.KERNEL32 ref: 00007FF72B9011DF
MultiByteToWideChar.KERNEL32 ref: 00007FF72B90140F
SendMessageW.USER32 ref: 00007FF72B901435
SendMessageW.USER32 ref: 00007FF72B901453
SendMessageW.USER32 ref: 00007FF72B901471
LocalReAlloc.KERNEL32 ref: 00007FF72B90148E
SetCursor.USER32 ref: 00007FF72B9014CE
UnmapViewOfFile.KERNEL32 ref: 00007FF72B901511
SendMessageW.USER32 ref: 00007FF72B90152D
LocalLock.KERNEL32 ref: 00007FF72B901550
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF72B901607
MultiByteToWideChar.KERNEL32 ref: 00007FF72B901625
UnmapViewOfFile.KERNEL32 ref: 00007FF72B9016A0
LocalUnlock.KERNEL32 ref: 00007FF72B901721
SendMessageW.USER32 ref: 00007FF72B901756
CloseHandle.KERNEL32 ref: 00007FF72B901989

Strings

0, xrefs: 00007FF72B90195D

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: FileMessageSend$Handle$ByteCharCloseCursorLocalMultiViewWide$ExtensionFindFreePathTaskUnmapmemset$#170AllocCreateErrorInformationLastLockMappingTextUnicodeUnlock_o__wcsicmpmemcpy
String ID: 0
API String ID: 585679752-4108050209
Opcode ID: 36489fdf4e85da6a33a26a8ca3c57d8eb6880c61b5a4e6560729996b0adab27e
Instruction ID: ff53f9ab91728b402caafb97924612abac42f4c41883f742ecaac64319957e7c
Opcode Fuzzy Hash: 36489fdf4e85da6a33a26a8ca3c57d8eb6880c61b5a4e6560729996b0adab27e
Instruction Fuzzy Hash: 90525072918692CBE720AB19E84067AFBA0FB85750F819135DA8D43BB4DF7DE484DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9004FC, Relevance: 72.2, APIs: 38, Strings: 3, Instructions: 498filewindowCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF72B90057C
DuplicateEncryptionInfoFile.ADVAPI32 ref: 00007FF72B9005AA
PathFileExistsW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF72B9005B9
CreateFileW.KERNEL32 ref: 00007FF72B9005E9
GetLastError.KERNEL32 ref: 00007FF72B900606
SendMessageW.USER32 ref: 00007FF72B900656
SendMessageW.USER32 ref: 00007FF72B900674
SendMessageW.USER32 ref: 00007FF72B900691
SendMessageW.USER32 ref: 00007FF72B9006B2
LocalLock.KERNEL32 ref: 00007FF72B9006CD
WriteFile.KERNEL32 ref: 00007FF72B900723
GetACP.KERNEL32 ref: 00007FF72B900740
WideCharToMultiByte.KERNEL32 ref: 00007FF72B90078B
WriteFile.KERNEL32 ref: 00007FF72B900810
WriteFile.KERNEL32 ref: 00007FF72B900859
WriteFile.KERNEL32 ref: 00007FF72B9008A9
WriteFile.KERNEL32 ref: 00007FF72B9008CD
SetEndOfFile.KERNEL32 ref: 00007FF72B9008EC
LocalUnlock.KERNEL32 ref: 00007FF72B9008FB
SendMessageW.USER32 ref: 00007FF72B900925
CloseHandle.KERNEL32 ref: 00007FF72B900963
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B900984
#170.API-MS-WIN-SHCORE-PATH-L1-1-0 ref: 00007FF72B900997
PathFindExtensionW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF72B9009AA
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B900A35
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B900A64
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B900AAB
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B900ADF
GetFileAttributesW.KERNEL32 ref: 00007FF72B900AF3
DecryptFileW.ADVAPI32 ref: 00007FF72B900B0F
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B900BC7
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF72B900BEE
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B900CA0
SetCursor.USER32 ref: 00007FF72B900CB3
SetCursor.USER32 ref: 00007FF72B900CDD
CloseHandle.KERNEL32 ref: 00007FF72B900CF0
LocalUnlock.KERNEL32 ref: 00007FF72B900D0F
DeleteFileW.KERNEL32 ref: 00007FF72B900D23

Strings

1, xrefs: 00007FF72B9007BD
shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF72B900B26, 00007FF72B900B61
Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF72B900BC0

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: File$MessageSendWrite$FreeLocalTaskmemset$AttributesCloseCreateCursorHandlePathUnlock$#170ActivationByteCharDecryptDeleteDuplicateEncryptionErrorExistsExtensionFactoryFindInfoLastLockMultiReferenceStringWideWindows
String ID: 1$Windows.Security.EnterpriseData.ProtectionPolicyManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 545286052-3300918443
Opcode ID: 7bae2d965a9fcb1a82e12f0a8706b7e8f1c581ca1d39e3b5be4d78f690307692
Instruction ID: 95d8ea039921a6e2c2bab9dbc2b27a20085dc3914fd3eaed7d3a54f51dd31e0d
Opcode Fuzzy Hash: 7bae2d965a9fcb1a82e12f0a8706b7e8f1c581ca1d39e3b5be4d78f690307692
Instruction Fuzzy Hash: DF326E32A18A46CAE710AB19EC401B9F7A1FB89B94F859535DA8E43774DF3CE444DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FB600, Relevance: 61.9, APIs: 34, Strings: 1, Instructions: 611windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32 ref: 00007FF72B8FB6C3
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FB6FF

Part of subcall function 00007FF72B9132F8: WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B8FAE9C), ref: 00007FF72B91333F
Part of subcall function 00007FF72B9132F8: RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B8FAE9C), ref: 00007FF72B91337B

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B8FB748
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF72B8FB76C

Part of subcall function 00007FF72B913D64: WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B913DA0

MessageBeep.USER32 ref: 00007FF72B8FB8BC
MessageBeep.USER32 ref: 00007FF72B8FB8CA
DestroyWindow.USER32 ref: 00007FF72B8FBA3F
DestroyWindow.USER32 ref: 00007FF72B8FBA52
DeleteObject.GDI32 ref: 00007FF72B8FBA65
SendMessageW.USER32 ref: 00007FF72B8FBA82
IsIconic.USER32 ref: 00007FF72B8FBA9A
SetFocus.USER32 ref: 00007FF72B8FBAB5
IsIconic.USER32 ref: 00007FF72B8FBADE
GetForegroundWindow.USER32 ref: 00007FF72B8FBAF2
GetForegroundWindow.USER32 ref: 00007FF72B8FBB0B
DefWindowProcW.USER32 ref: 00007FF72B8FBB50
PostQuitMessage.USER32 ref: 00007FF72B8FBB63
SetCursor.USER32 ref: 00007FF72B8FBC85
SetCursor.USER32 ref: 00007FF72B8FBCA5
SetCursor.USER32 ref: 00007FF72B8FBCCB
SetCursor.USER32 ref: 00007FF72B8FBCF4
GetKeyboardLayout.USER32 ref: 00007FF72B8FBD68
MessageBoxW.USER32 ref: 00007FF72B8FBE59
SetWindowPos.USER32 ref: 00007FF72B8FBEBD
SendMessageW.USER32 ref: 00007FF72B8FBEDF
GetDpiForWindow.USER32 ref: 00007FF72B8FBEF2
MulDiv.KERNEL32 ref: 00007FF72B8FBF0C
CreateFontIndirectW.GDI32 ref: 00007FF72B8FBF27
DeleteObject.GDI32 ref: 00007FF72B8FBF42
SendMessageW.USER32 ref: 00007FF72B8FBF69
RedrawWindow.USER32 ref: 00007FF72B8FBF84

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF72B8FB741

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Window$Message$CreateCursor$ReferenceSendStringWindows$ActivationBeepDeleteDestroyFactoryForegroundIconicObject$CtrlFocusFontIndirectKeyboardLayoutPostProcQuitRedrawmemset
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager
API String ID: 679159887-1562784004
Opcode ID: 8a89c5570c31e86ef3a24bb5e5a74527853b9ba4268867e204b9852e9fc6ae60
Instruction ID: 72b3f4212d4286015ba4fbc6e63fdf578ed125d913f01fc1a3a6b56be7b59aca
Opcode Fuzzy Hash: 8a89c5570c31e86ef3a24bb5e5a74527853b9ba4268867e204b9852e9fc6ae60
Instruction Fuzzy Hash: 94425D31E19642CAEA10AB1DEC40179FAA0EF99B80FC55131DA8D437B5CE3CF5559FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FD04C, Relevance: 46.7, APIs: 31, Instructions: 211windowclipboardCOMMON

Download Yara Rule

APIs

GetMenu.USER32 ref: 00007FF72B8FD072
SendMessageW.USER32(?,?,?,?,?,?,?,?,00000003,00007FF72B8FBFFA), ref: 00007FF72B8FD095
GetSubMenu.USER32 ref: 00007FF72B8FD0B8
EnableMenuItem.USER32 ref: 00007FF72B8FD0CF
GetSubMenu.USER32 ref: 00007FF72B8FD0E1
EnableMenuItem.USER32 ref: 00007FF72B8FD0F8
GetSubMenu.USER32 ref: 00007FF72B8FD10A
EnableMenuItem.USER32 ref: 00007FF72B8FD121
GetSubMenu.USER32 ref: 00007FF72B8FD133
EnableMenuItem.USER32 ref: 00007FF72B8FD14A
OpenClipboard.USER32 ref: 00007FF72B8FD159
IsClipboardFormatAvailable.USER32(?,?,?,?,?,?,?,?,00000003,00007FF72B8FBFFA), ref: 00007FF72B8FD16C
CloseClipboard.USER32(?,?,?,?,?,?,?,?,00000003,00007FF72B8FBFFA), ref: 00007FF72B8FD17B
GetSubMenu.USER32 ref: 00007FF72B8FD196
EnableMenuItem.USER32 ref: 00007FF72B8FD1AD
SendMessageW.USER32(?,?,?,?,?,?,?,?,00000003,00007FF72B8FBFFA), ref: 00007FF72B8FD1CA
GetSubMenu.USER32 ref: 00007FF72B8FD1E6
EnableMenuItem.USER32 ref: 00007FF72B8FD1FD
GetSubMenu.USER32 ref: 00007FF72B8FD20F
EnableMenuItem.USER32 ref: 00007FF72B8FD226
GetSubMenu.USER32 ref: 00007FF72B8FD238
EnableMenuItem.USER32 ref: 00007FF72B8FD24F
GetSubMenu.USER32 ref: 00007FF72B8FD26E
EnableMenuItem.USER32 ref: 00007FF72B8FD285
SendMessageW.USER32(?,?,?,?,?,?,?,?,00000003,00007FF72B8FBFFA), ref: 00007FF72B8FD2A3
GetSubMenu.USER32 ref: 00007FF72B8FD2BD
EnableMenuItem.USER32 ref: 00007FF72B8FD2D4
GetSubMenu.USER32 ref: 00007FF72B8FD2F5
CheckMenuItem.USER32 ref: 00007FF72B8FD30C
GetSubMenu.USER32 ref: 00007FF72B8FD322
CheckMenuItem.USER32 ref: 00007FF72B8FD343

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Menu$Item$Enable$ClipboardMessageSend$Check$AvailableCloseFormatOpen
String ID:
API String ID: 2500327735-0
Opcode ID: 10b6eeda3b26afaa3f1c45e349fa7e4d4bcb9036a5690b848020500dc22c3045
Instruction ID: b401991e9b586bb2dd659fd99931100d5545e73a6b445de69646cb5b9af2b910
Opcode Fuzzy Hash: 10b6eeda3b26afaa3f1c45e349fa7e4d4bcb9036a5690b848020500dc22c3045
Instruction Fuzzy Hash: 6D912975A14A52CBE700AB25A854579FBA0FBCEB81B85E134CE4E43B24DF3CE4469B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90EB20, Relevance: 42.2, APIs: 28, Instructions: 187windowmemoryCOMMON

Download Yara Rule

APIs

SetCursor.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EB50
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EB83
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EBA1
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EBC8
LocalAlloc.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EBE2
SetCursor.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EBF9

Part of subcall function 00007FF72B8F91BC: SendMessageW.USER32 ref: 00007FF72B8F924B
Part of subcall function 00007FF72B8F91BC: SendMessageW.USER32 ref: 00007FF72B8F926E
Part of subcall function 00007FF72B8F91BC: SendMessageW.USER32 ref: 00007FF72B8F928C

GetClientRect.USER32 ref: 00007FF72B90EC17
LocalLock.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EC26
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EC47

Part of subcall function 00007FF72B903788: CreateWindowExW.USER32 ref: 00007FF72B9037D0

SetCursor.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EC73
LocalUnlock.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EC82
LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EC91
GetWindowLongW.USER32 ref: 00007FF72B90ECB2
SetWindowLongW.USER32 ref: 00007FF72B90ECC7
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90ECE5
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90ECFE
SetCursor.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90ED12
DestroyWindow.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90ED21
LocalUnlock.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90ED35
LocalFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90ED44
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90ED6A
ShowWindow.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90ED8B
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EDA9
SendMessageW.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EDC9
SetFocus.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EDDC
SetCursor.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EDEB
GetClientRect.USER32 ref: 00007FF72B90EE0B
ShowWindow.USER32(?,?,?,?,?,00000000,00000000,00000000,00000000,?), ref: 00007FF72B90EE36

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: MessageSend$LocalWindow$Cursor$ClientFreeLongRectShowUnlock$AllocCreateDestroyFocusLock
String ID:
API String ID: 126884220-0
Opcode ID: 9ad8cc02bf42c9665355f16e910318055b48ecd9cc59fc5f2ce6a19f6011c344
Instruction ID: b1652723942917fe4bd1d0faf5afe590c85867e57638a2ed4d5addbbb55315bf
Opcode Fuzzy Hash: 9ad8cc02bf42c9665355f16e910318055b48ecd9cc59fc5f2ce6a19f6011c344
Instruction Fuzzy Hash: 3F91EA35A19A42CBE700AB19EC94579BB60FBCEB51F86A531CE4E07774CF3CA4459B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B911028, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 242registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF72B911075
RegOpenKeyExW.ADVAPI32 ref: 00007FF72B9110A9
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF72B9110FD
RegEnumValueW.ADVAPI32 ref: 00007FF72B911173
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B911375
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B91138A
RegCloseKey.ADVAPI32 ref: 00007FF72B9113A4
RegCloseKey.ADVAPI32 ref: 00007FF72B9113B9

Strings

Software\Microsoft\Notepad\Autosave, xrefs: 00007FF72B911067

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CloseFreeOpenTask$EnumInfoQueryValue
String ID: Software\Microsoft\Notepad\Autosave
API String ID: 10180006-1427544894
Opcode ID: 6e8a5ebfa77c94e7876d62ba35bf7f286cb2fc06c22f01ab6caac85adecf2b64
Instruction ID: cb6a434e97e5452e91bb5d1aaab850d32d88477aef7f0d19a5861bda56aa34fe
Opcode Fuzzy Hash: 6e8a5ebfa77c94e7876d62ba35bf7f286cb2fc06c22f01ab6caac85adecf2b64
Instruction Fuzzy Hash: 6DB1D236B18A52DEEB10AF68E8502BDB7A0FB85748F855131DE8D13B68DF38D444DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B910D28, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 195registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 00007FF72B910D7D
RegCreateKeyExW.ADVAPI32 ref: 00007FF72B910DC3
RegCloseKey.ADVAPI32 ref: 00007FF72B910FDC
RegCloseKey.ADVAPI32 ref: 00007FF72B910FF1

Strings

%s\%s.autosave, xrefs: 00007FF72B910DF2
Software\Microsoft\Notepad\Autosave, xrefs: 00007FF72B910D46
%i,%s, xrefs: 00007FF72B910EC7

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CloseCreate
String ID: %i,%s$%s\%s.autosave$Software\Microsoft\Notepad\Autosave
API String ID: 2932200918-285130182
Opcode ID: 8a4cce6cc3c9892ad89a71ccae19c739badeba75e027dd4b9811dc452bb17127
Instruction ID: 52c2ae515e1fd31721eef37119b90602fc9008f9705ef2b31f976d4f66952d4c
Opcode Fuzzy Hash: 8a4cce6cc3c9892ad89a71ccae19c739badeba75e027dd4b9811dc452bb17127
Instruction Fuzzy Hash: 5A91A332A18B42CAEB10AF19EC405B9BB60FF89794B856131DE8E137A4CF3DD045DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F7D38, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 208synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF72B8F7D74

Part of subcall function 00007FF72B8F21F0: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF72B8F2230

CreateMutexExW.KERNEL32 ref: 00007FF72B8F7DB6
WaitForSingleObjectEx.KERNEL32 ref: 00007FF72B8F7DE4

Part of subcall function 00007FF72B8F288C: GetLastError.KERNEL32 ref: 00007FF72B8F2890

Strings

onecore\internal\sdk\inc\wil\opensource\wil\resource.h, xrefs: 00007FF72B8F8043
wil, xrefs: 00007FF72B8F7E2B
x, xrefs: 00007FF72B8F7D8F
Local\SM0:%d:%d:%hs, xrefs: 00007FF72B8F7D85

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CreateCurrentErrorLastMutexObjectProcessSingleWait_vsnwprintf
String ID: Local\SM0:%d:%d:%hs$onecore\internal\sdk\inc\wil\opensource\wil\resource.h$wil$x
API String ID: 3333087404-3363748427
Opcode ID: c440184ade505da0ab71912d83ca09aa0c60c7d8cffe59e8dc11d6a258e75d02
Instruction ID: 59b2a6bd036b2dfef097c3a406c543c8ec6292e8c9c8d628cd7082b3758562ec
Opcode Fuzzy Hash: c440184ade505da0ab71912d83ca09aa0c60c7d8cffe59e8dc11d6a258e75d02
Instruction Fuzzy Hash: 9881A036618A42C6F760AF19EC406B9F761EB99B80FD09031EA8D47B65DF3CF4518B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FCBEC, Relevance: 22.7, APIs: 15, Instructions: 237filewindowCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FF72B8FCC7C
FindFirstFileW.KERNEL32 ref: 00007FF72B8FCC94
FindClose.KERNEL32 ref: 00007FF72B8FCCE2
FormatMessageW.KERNEL32 ref: 00007FF72B8FCD83
SetWindowTextW.USER32 ref: 00007FF72B8FCDA2
LocalFree.KERNEL32 ref: 00007FF72B8FCDBF
LocalFree.KERNEL32 ref: 00007FF72B8FCDCE

Part of subcall function 00007FF72B8FFA28: LocalAlloc.KERNEL32(00000000,?,?,00007FF72B8FF3BB), ref: 00007FF72B8FFAA7

Part of subcall function 00007FF72B8FFB28: GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF72B8FF3BB), ref: 00007FF72B8FFB57
Part of subcall function 00007FF72B8FFB28: LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF72B8FF3BB), ref: 00007FF72B8FFB68
Part of subcall function 00007FF72B8FFB28: SetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF72B8FF3BB), ref: 00007FF72B8FFB76

_Init_thread_footer.LIBCMT ref: 00007FF72B8FCE2A
FindFirstFileW.KERNEL32 ref: 00007FF72B8FCE4A
FindClose.KERNEL32 ref: 00007FF72B8FCE73
CompareStringOrdinal.KERNEL32 ref: 00007FF72B8FCEBD
FormatMessageW.KERNEL32 ref: 00007FF72B8FCFA9
SetWindowTextW.USER32 ref: 00007FF72B8FCFC8
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FCFF6
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FD00C

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Free$Local$Find$CloseErrorFileFirstFormatLastMessageTaskTextWindow$AllocCompareInit_thread_footerOrdinalString
String ID:
API String ID: 2306847634-0
Opcode ID: 4734b65dcc0e080e251f5611d7f68aa4fdbe8bbeac2cc4256f4101b3e371a595
Instruction ID: 371c0a793c4e4a43b9a5c9945265343c08dfc167b496b46791f4c70e0d73a729
Opcode Fuzzy Hash: 4734b65dcc0e080e251f5611d7f68aa4fdbe8bbeac2cc4256f4101b3e371a595
Instruction Fuzzy Hash: 84C14A32A09A42CAEB10AF18EC401A9B7A4FB96794FC55231DA9D077B5DF3CE514CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B902CC8, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 178fileCOMMON

Download Yara Rule

APIs

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B902D5F
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B902DCA
PathIsFileSpecW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF72B902DEC
FindFirstFileW.KERNEL32 ref: 00007FF72B902E2C
FindClose.KERNEL32 ref: 00007FF72B902E41
PathFindExtensionW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF72B902E55
FindFirstFileW.KERNEL32 ref: 00007FF72B902EBE
FindClose.KERNEL32 ref: 00007FF72B902ED3
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B902EF8
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B902F2D
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B902F41

Strings

.txt, xrefs: 00007FF72B902EA4

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: FindFreeTask$File$CloseFirstPath$ExtensionSpec
String ID: .txt
API String ID: 3904377374-2195685702
Opcode ID: 5acdd54beb96a11c681456e77c26d8a4c1a8b6af072cda3c6876b7121b3800a9
Instruction ID: bf699f69c116ba0de0a9f0e1362544f2f1c060a2b7670a4ab23f6fb8aeb95e77
Opcode Fuzzy Hash: 5acdd54beb96a11c681456e77c26d8a4c1a8b6af072cda3c6876b7121b3800a9
Instruction Fuzzy Hash: 7C71B622618941C1DA20FB15E8501B9FB60FF89BA4FC85631EADE037E5DF3CE5458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9113E4, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84filewindowCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,?,?,?,00000000,00000003,00007FF72B8FB971), ref: 00007FF72B9113F9
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000003,00007FF72B8FB971), ref: 00007FF72B91140B
CreateFileW.KERNEL32 ref: 00007FF72B911498
CloseHandle.KERNEL32 ref: 00007FF72B9114AD
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FF72B9114C8
SendMessageW.USER32 ref: 00007FF72B9114E9
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,00000000,00000003,00007FF72B8FB971), ref: 00007FF72B911512

Strings

probe.autosave, xrefs: 00007FF72B911452
%s\%s, xrefs: 00007FF72B911461

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CreateFree$CloseDirectoryDiskErrorFileHandleLastMessageSendSpaceTask
String ID: %s\%s$probe.autosave
API String ID: 3915114138-22072891
Opcode ID: fb1c7cf06db92606c190e0a0bf4e1541477659cba765ad4fc1509ed0b759d3d4
Instruction ID: 97f47b38265f252767658e8f9019dc25b5d8ac82d2666d71446a68665ed29a47
Opcode Fuzzy Hash: fb1c7cf06db92606c190e0a0bf4e1541477659cba765ad4fc1509ed0b759d3d4
Instruction Fuzzy Hash: F1319532A18651DBE710AF19E8505B9B760FBC9764F846230DA9E076A0CF3CE445DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B900174, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106timewindowCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B9001B0
GetLocalTime.KERNEL32 ref: 00007FF72B9001BF

Part of subcall function 00007FF72B900114: GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,00007FF72B9019EF), ref: 00007FF72B900136

GetLocaleInfoW.KERNEL32 ref: 00007FF72B9001F0
GetUserDefaultUILanguage.KERNEL32 ref: 00007FF72B900204
GetDateFormatW.KERNEL32 ref: 00007FF72B900259
GetTimeFormatW.KERNEL32 ref: 00007FF72B900288
SendMessageW.USER32 ref: 00007FF72B900322

Strings

P, xrefs: 00007FF72B900268

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: FormatInfoLocaleTime$DateDefaultLanguageLocalMessageSendUsermemset
String ID: P
API String ID: 1142591158-3110715001
Opcode ID: c679d656eb6d46234c228883503a9f4906331edc57d3be65ebd494dda753449e
Instruction ID: 45ebd112d7d3c09c10734267453c3a73848d1e6a0a1a14d671e0315802d2295d
Opcode Fuzzy Hash: c679d656eb6d46234c228883503a9f4906331edc57d3be65ebd494dda753449e
Instruction Fuzzy Hash: 06416E36618A81CAE720AF68D8403F9B761FB88744FC15432EA8E437A5DF3CE545CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B910690, Relevance: 13.6, APIs: 9, Instructions: 112windowCOMMON

Download Yara Rule

APIs

SetCursor.USER32(?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B9106B8
SendMessageW.USER32(?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B9106D6
SendMessageW.USER32(?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B9106F4
LocalLock.KERNEL32(?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B910713
GetWindowTextLengthW.USER32 ref: 00007FF72B91072E

Part of subcall function 00007FF72B90E6F0: FindNLSString.KERNEL32 ref: 00007FF72B90E730

LocalUnlock.KERNEL32(?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B9107A3
SetCursor.USER32(?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B9107DC
SendMessageW.USER32(?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B9107FA
SendMessageW.USER32(?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B910818

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: MessageSend$CursorLocal$FindLengthLockStringTextUnlockWindow
String ID:
API String ID: 3257532295-0
Opcode ID: d857d886ddc55264e7ae5c1a43d11e7fea413f208d306eb5c5c1fede264882ee
Instruction ID: d54b90efd2fc2b914bafb2be137035ad378072f77ebe7c7245b8ceeb9df9e416
Opcode Fuzzy Hash: d857d886ddc55264e7ae5c1a43d11e7fea413f208d306eb5c5c1fede264882ee
Instruction Fuzzy Hash: 33416225A19B42CBEB11AB19AC5057AFAA0FFC9B51F866135DD8E03770CE3CE4459F20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B916500, Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FF72B91651C
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B916540
RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF72B916549
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF72B916563
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF72B9165A4
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B9165D7
IsDebuggerPresent.KERNEL32 ref: 00007FF72B9165F8
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF72B916619
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF72B916624

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 99069975b61ab5e8d245399fc568debaa394eb3ff8c4f63bfc2c813cf5e46932
Instruction ID: 0e045693b570f9dff81c5c62fae56e8d1039bc3b71bbd5c01ee88ec622039791
Opcode Fuzzy Hash: 99069975b61ab5e8d245399fc568debaa394eb3ff8c4f63bfc2c813cf5e46932
Instruction Fuzzy Hash: 66316472A14A81C9EB60AF68EC803ED7760F784748F845039DA8D47694DF78D548DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B903A80, Relevance: 12.2, APIs: 8, Instructions: 187windowCOMMON

Download Yara Rule

APIs

MonitorFromWindow.USER32 ref: 00007FF72B903ABB
GetDpiForMonitor.API-MS-WIN-SHCORE-SCALING-L1-1-1 ref: 00007FF72B903AD4
MulDiv.KERNEL32 ref: 00007FF72B903B5B
MulDiv.KERNEL32 ref: 00007FF72B903BD7
MulDiv.KERNEL32 ref: 00007FF72B903C58
MulDiv.KERNEL32 ref: 00007FF72B903CDD
SendMessageW.USER32 ref: 00007FF72B903D32
SendMessageW.USER32 ref: 00007FF72B903D4D

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: MessageMonitorSend$FromWindow
String ID:
API String ID: 3597471249-0
Opcode ID: d0279e6e14b2005ac53fcfbc983a17bb096bd598b6f4c2dea59f50dab1916091
Instruction ID: 55c319bbe274af9fd8579e54c06398fb026b4a7100fc5ebdd3f368dfbdca3c18
Opcode Fuzzy Hash: d0279e6e14b2005ac53fcfbc983a17bb096bd598b6f4c2dea59f50dab1916091
Instruction Fuzzy Hash: 3C917032B18A51CBE710DF29E840AACBBA0FB89B48F815535DA4D93B65CF38D505CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FA52E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 198windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF72B8FA591
SendMessageW.USER32 ref: 00007FF72B8FAA65
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FAFC7

Strings

shell\osshell\accesory\notepad\notepad.cpp, xrefs: 00007FF72B8FA6AF

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: MessageSend$FreeTask
String ID: shell\osshell\accesory\notepad\notepad.cpp
API String ID: 3291876417-1693142988
Opcode ID: 5e72e1ba180cdd0cfa0ad077bafa72762d6e2964ad6a419b9b5a4c495619738d
Instruction ID: e6ef5643b3dabb5279edb31395f91c318beb00e5c4a06da7055059dea5953571
Opcode Fuzzy Hash: 5e72e1ba180cdd0cfa0ad077bafa72762d6e2964ad6a419b9b5a4c495619738d
Instruction Fuzzy Hash: 77918D36E1C682CAE711AB28EC50679BBB4FB96744FC55139C68D42674CF3CA058CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FC744, Relevance: 7.7, APIs: 5, Instructions: 151windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF72B8FC870
SendMessageW.USER32 ref: 00007FF72B8FC8FC
SendMessageW.USER32 ref: 00007FF72B8FC91D
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FC94C
SendMessageW.USER32 ref: 00007FF72B8FC990

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: MessageSend$memset
String ID:
API String ID: 2191228795-0
Opcode ID: 2109e02e9cdacd837aaadda92213647c32410cf6be357716115de53c04c2e24c
Instruction ID: 67020089bca6c2de59d9894c5d1fe937c9d3b620c5d17b4699ea11fb24aaf62b
Opcode Fuzzy Hash: 2109e02e9cdacd837aaadda92213647c32410cf6be357716115de53c04c2e24c
Instruction Fuzzy Hash: 49617F72A18681D6EB20EB19EC40A69BBA0FB95B84FC55035DA8D43B74CF3CE115CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FC4BC, Relevance: 7.6, APIs: 5, Instructions: 147windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8FC744: SendMessageW.USER32 ref: 00007FF72B8FC870
Part of subcall function 00007FF72B8FC744: SendMessageW.USER32 ref: 00007FF72B8FC8FC

SendMessageW.USER32 ref: 00007FF72B8FC571
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FC58C
SendMessageW.USER32 ref: 00007FF72B8FC5E8
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FC677
SendMessageW.USER32 ref: 00007FF72B8FC6FA

Part of subcall function 00007FF72B8FCA10: SendMessageW.USER32 ref: 00007FF72B8FCAB3
Part of subcall function 00007FF72B8FCA10: SendMessageW.USER32 ref: 00007FF72B8FCB26

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: MessageSend$memset
String ID:
API String ID: 2191228795-0
Opcode ID: a55f65b6909bf37b995a8dc2917ab60a429626a5e85ac85f587b770514edbb08
Instruction ID: 2aff7f093a2baa2912c99cc168c085367efc6ef15319408578270a303fa79692
Opcode Fuzzy Hash: a55f65b6909bf37b995a8dc2917ab60a429626a5e85ac85f587b770514edbb08
Instruction Fuzzy Hash: 7C614831E1C642C6EB10AB59EC546A9AB60FB99740FC15036EA8D43BB4CF3DE5158FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B901B94, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF72B901BB2
FormatMessageW.KERNEL32 ref: 00007FF72B901BF1
MessageBoxW.USER32 ref: 00007FF72B901C1A

Part of subcall function 00007FF72B8FD3C8: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FD403
Part of subcall function 00007FF72B8FD3C8: LocalAlloc.KERNEL32 ref: 00007FF72B8FD440
Part of subcall function 00007FF72B8FD3C8: MessageBoxW.USER32 ref: 00007FF72B8FD4E1
Part of subcall function 00007FF72B8FD3C8: LocalFree.KERNEL32 ref: 00007FF72B8FD4F2

Strings

0, xrefs: 00007FF72B901C40

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Message$Local$AllocErrorFormatFreeLastwcsnlen
String ID: 0
API String ID: 230745121-4108050209
Opcode ID: aa91e757aace67e0b7ddcb767b5fd33ce37bf33ba466f9430a97a04315945814
Instruction ID: dfa178bb3bf32d4c6892114ce4da5db189ba782b482fff9c2fb3e8ff24039f02
Opcode Fuzzy Hash: aa91e757aace67e0b7ddcb767b5fd33ce37bf33ba466f9430a97a04315945814
Instruction Fuzzy Hash: F4113D71918A42C6E760AB15FC543B9BA60FB99B84FC55535DACE43760CF3CE1848F20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F3E9C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8F3ED3
GetProcAddress.KERNEL32 ref: 00007FF72B8F3EF0

Strings

ntdll.dll, xrefs: 00007FF72B8F3ECC
NtUpdateWnfStateData, xrefs: 00007FF72B8F3EE6

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtUpdateWnfStateData$ntdll.dll
API String ID: 1646373207-3251081820
Opcode ID: a6f1944db0c258a3b630c86e7b4c21c2756672431c2302d080a8abd373555ade
Instruction ID: 44196e4eceb652442a90e0615ebc98b4787dcc62164887015b8294145539c1fd
Opcode Fuzzy Hash: a6f1944db0c258a3b630c86e7b4c21c2756672431c2302d080a8abd373555ade
Instruction Fuzzy Hash: 5C113A31A19B42CAEB11AB09F844265F7A0FB88B94FC19135DA8D43B24EF3CE414DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F3DF4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8F3E23
GetProcAddress.KERNEL32 ref: 00007FF72B8F3E40

Strings

ntdll.dll, xrefs: 00007FF72B8F3E1C
NtQueryWnfStateData, xrefs: 00007FF72B8F3E36

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtQueryWnfStateData$ntdll.dll
API String ID: 1646373207-3115237368
Opcode ID: 79ac5ba1aafd97cc3887946a05c00f04cdd9898959b0d8929c476eaf65730741
Instruction ID: 776b04fd8acd6e6ffc48c627048cc6a30c445903a334ff21f44ee0ab07ef78dc
Opcode Fuzzy Hash: 79ac5ba1aafd97cc3887946a05c00f04cdd9898959b0d8929c476eaf65730741
Instruction Fuzzy Hash: 02013521A1AB46CAEA11AB0EEC40165A7A1FF98B84BC58231CA8D03734EF3CE0108F10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B915A88, Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,00007FF72B915BBD), ref: 00007FF72B915A91
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF72B915BBD), ref: 00007FF72B915AA9
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FF72B915BBD), ref: 00007FF72B915AB2
GetCurrentProcess.KERNEL32(?,?,?,00007FF72B915BBD), ref: 00007FF72B915ACB

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentDebuggerPresentProcess
String ID:
API String ID: 2506494423-0
Opcode ID: 6d985a4df7080e085682b06adf58882ac15ae3df810fe9370a7f39c114eb97d7
Instruction ID: b6b79a35cf6ec6406b822be30fcf39d3cf4b52c887e090c8a528b4cf627b8216
Opcode Fuzzy Hash: 6d985a4df7080e085682b06adf58882ac15ae3df810fe9370a7f39c114eb97d7
Instruction Fuzzy Hash: 42F03060D28606CEF7147B6CAC95234B661EFC4B05FC56434CA8E112B2CE7D7484AA20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F9058, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF72B8F9089

Strings

1, xrefs: 00007FF72B8F9095

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: InfoLocale
String ID: 1
API String ID: 2299586839-2212294583
Opcode ID: 8a906198e939dde3a6dccf918f9511260b3464488a97aec2dc50c79c7517998e
Instruction ID: a32463b8f09bd3534a44fe7e726588e0e0c9cf8734f880638d7d527d9fb7a313
Opcode Fuzzy Hash: 8a906198e939dde3a6dccf918f9511260b3464488a97aec2dc50c79c7517998e
Instruction Fuzzy Hash: B6019E70E18242CFE340AB18EC41B68B6A4FB55300F828136D59C862A0EB7DA5448FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B912434, Relevance: 1.5, APIs: 1, Instructions: 35comCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B912472

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 43a3df711b02c09b8eff4db52f501b4a598933823c09aae3895f263ae16e3b59
Instruction ID: c1ac3d06c9a315f52f9bc7957e44cf4b75619edfc9740ae460d7dae3673dc909
Opcode Fuzzy Hash: 43a3df711b02c09b8eff4db52f501b4a598933823c09aae3895f263ae16e3b59
Instruction Fuzzy Hash: A1015E32A18A46C6EA10AF19FD40065B761FBC8B84B859231DADC42774DF3CD555DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B900114, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,00007FF72B9019EF), ref: 00007FF72B900136

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5c5e1314434c758303403ee755ca97e94c1b5d9eccd59329be68924ac39baf3c
Instruction ID: c87c20ce98c104f38b4472b36fe05fdb3fcafd494cf6aa4637abb143e67d211e
Opcode Fuzzy Hash: 5c5e1314434c758303403ee755ca97e94c1b5d9eccd59329be68924ac39baf3c
Instruction Fuzzy Hash: 48F03035A18A86CBEA50AB19EC513A9B2A0FB89704FC14036DA8D8B791DE2CE5058F11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FF520, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f0404d8c561c9b3f4b608d8456b6dc327ba9193c3a7336f6d2d0eee7641468
Instruction ID: 3eeb42cb503c87dbfd737548371983e0bb210890e8681f9f6d5302151b149bf9
Opcode Fuzzy Hash: f6f0404d8c561c9b3f4b608d8456b6dc327ba9193c3a7336f6d2d0eee7641468
Instruction Fuzzy Hash: FD7108B3B265A547E7689E18C811A38B692E794740BD5803DD60E87BE4DE3DF861CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F720C, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266bd32a55913ef1480b9e5364e5e6387acd7a5b89d2cb97839471350b421b56
Instruction ID: 7d6476d8a68ec2ab6f42d760acbd04afcdb3822a3d6719e8e3a30f763884a8c3
Opcode Fuzzy Hash: 266bd32a55913ef1480b9e5364e5e6387acd7a5b89d2cb97839471350b421b56
Instruction Fuzzy Hash: 6E615936B15A15CAE754DF69D8406AC73F1F708B88F809039DE0D97B64DE38E852CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90E4C8, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 3b744179f8365926c945c50dded99753f764bb389e0940afee0dbcae169864d2
Instruction ID: c24cca33f4bcc7aacc7ea7b787ca8e58a2c5730344d79c3f97fae313a9541027
Opcode Fuzzy Hash: 3b744179f8365926c945c50dded99753f764bb389e0940afee0dbcae169864d2
Instruction Fuzzy Hash: EE31F632F3895186EBA89B3CDC0172A76D1E784784F848534EA4DC7BA8DE3CE4418F10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FE8EC, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: f5a1bef9bc626fd63671de0d7da819b0af651419c9f74f56cd6914c93b83d717
Instruction ID: 67dd7b91e27ce120ee551e9335aa8c685cd6fac2d77e4abbcaa9a09a947920ff
Opcode Fuzzy Hash: f5a1bef9bc626fd63671de0d7da819b0af651419c9f74f56cd6914c93b83d717
Instruction Fuzzy Hash: BE31D233B2855186EBA89B3DDC0172AB6D1E794784FC4D134DA4DC7AA8DE3CE4518FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FEBA4, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 1e181e26e1d302fb26bfe6360b3c10f2e96d5373f967cc42ec220bc73bb89e87
Instruction ID: e3a8e67c7d4ac6d693921cdd892192d85095843eeb14b50ea0987aa57247740a
Opcode Fuzzy Hash: 1e181e26e1d302fb26bfe6360b3c10f2e96d5373f967cc42ec220bc73bb89e87
Instruction Fuzzy Hash: EA31F233B385518AEBA89A3DDC0173A66D1E794784FC48134EA5DC3BA4DA3CE4528F50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FDFCC, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 693dedf6943ce648ad049bc9aba0d74ae8c6c461c7d65337b3b725dfcceea574
Instruction ID: 5278ac2f31da50980e215c3afa16a478fbf91cd1e76c6d2e7596cac8b0d4d2dd
Opcode Fuzzy Hash: 693dedf6943ce648ad049bc9aba0d74ae8c6c461c7d65337b3b725dfcceea574
Instruction Fuzzy Hash: DF31E333B2855186EBA89A3DDC0176AA6D1F7D4784FC48134EA0DC7BA8DE3DE4518F90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FE3E0, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: ad18ce701b9b1c19e6dd6798883fe5cb3498da7c4c7c10e9e792a27c81fcf6f6
Instruction ID: 94c175cd8af24f059615c45464e4107540354299037ad91b27772ca30ffbf1f4
Opcode Fuzzy Hash: ad18ce701b9b1c19e6dd6798883fe5cb3498da7c4c7c10e9e792a27c81fcf6f6
Instruction Fuzzy Hash: 6231C533F2855186EBA89B3DDC0172966D1E7A4744FC48138EA0DC7BA8DA3CE4518F90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FE714, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: bdd6c52d446d256428f1ca0f7e0351d854a6dfa3e7e7e3be2fdce4a6561f00d7
Instruction ID: 24e3aae63735a234f740645e77407c52f6661fb969b1f8c1959763bd624b55ee
Opcode Fuzzy Hash: bdd6c52d446d256428f1ca0f7e0351d854a6dfa3e7e7e3be2fdce4a6561f00d7
Instruction Fuzzy Hash: 0F311633B3855186EBA89A3CDC0172966D1E794744FC4C134DA1DC3BA8DE3CE4528F90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FEA48, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 0ccc502ed95a9565fa4c5ea89f1ab34a51e3359721808fd16c88a6c9b2208fd4
Instruction ID: 668ef352af49ba785d471beb95ad714484435dbbf6821e9111db37326b1ccc16
Opcode Fuzzy Hash: 0ccc502ed95a9565fa4c5ea89f1ab34a51e3359721808fd16c88a6c9b2208fd4
Instruction Fuzzy Hash: 6231E733B2855187EBA49A3DDC0172A66D1E794784FC49134DA0EC7BA8DE3CE4518F50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FDE70, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 63a85b23b9c4fcbc2391e192abcb120a192f381abe3b8e5a78a11d651ce3c3d3
Instruction ID: c848323da911207029503003271a87c857f3e3448586b3a0ff81e6cb629ca4c0
Opcode Fuzzy Hash: 63a85b23b9c4fcbc2391e192abcb120a192f381abe3b8e5a78a11d651ce3c3d3
Instruction Fuzzy Hash: 4E31F633B385518AEBA89A3DDC01B6976D1E794784FC49134EA0DC7BA4EE3CE4518F50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FE284, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: c2a4fba42b9c2f429ba217b82c6cf4736a1fe77b1a82e8c9c6be8cf6ac068172
Instruction ID: 145b78e6d2a03f11c5389266d908077831d8d07e94aa5f5f9a58b55a410a2dff
Opcode Fuzzy Hash: c2a4fba42b9c2f429ba217b82c6cf4736a1fe77b1a82e8c9c6be8cf6ac068172
Instruction Fuzzy Hash: A6311633B285518BEBA89B3CDC01B2AA6D1E794744FC49134EA5DC3BA8DE3CE4118F50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FE128, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 207689a59549d8e70f80a957eee39a599efe20992ff909130c476ebeda97592d
Instruction ID: a105ee785618ddfb8532a53d39d57e08a82913f3657717486984a88972efba5e
Opcode Fuzzy Hash: 207689a59549d8e70f80a957eee39a599efe20992ff909130c476ebeda97592d
Instruction Fuzzy Hash: C5312833B2855147EBA89B3DDC0172A66D1E798745FC48134EA0DC3BA4DE3CE4518F50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FE53C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 13fb2d76203020b190a53e76d8b32f838fed71e61ceb08d3bbe0b026e9140834
Instruction ID: 1a30fd616f8f0cb2a4d056c95cd4509186ace1ddc924713d6fda2cd27b65fbb4
Opcode Fuzzy Hash: 13fb2d76203020b190a53e76d8b32f838fed71e61ceb08d3bbe0b026e9140834
Instruction Fuzzy Hash: F231F633B2855586EBA89B3DDC4176A76D1E798784FC48134DA0DC7BA8DE3CE4118F50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9166F8, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31d5ba1c7027b35b3766d73dd2ba5c0e98a2abfcae796a983cd17fa34770bce
Instruction ID: a5aff03656f598ff908a0f3bb1af28bb2db1671ac04dcf938c5383c2af73640b
Opcode Fuzzy Hash: e31d5ba1c7027b35b3766d73dd2ba5c0e98a2abfcae796a983cd17fa34770bce
Instruction Fuzzy Hash: FAA00126A28952D8E645AB08AC90021A720EB90701B842872D09E410B49E7CA440EA20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B927038, Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919594be064018db54899745ed1b407af63c4757e6aa10f7f7da718a0e9eade1
Instruction ID: 079453550c027c58c1d76574222cebd838315a5441ba68a860f8b5a48f51bbb9
Opcode Fuzzy Hash: 919594be064018db54899745ed1b407af63c4757e6aa10f7f7da718a0e9eade1
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90222C, Relevance: 63.2, APIs: 5, Strings: 31, Instructions: 201registrythreadCOMMON

Download Yara Rule

APIs

SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B902265
GetWindowPlacement.USER32 ref: 00007FF72B90227B
SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B90228C
RegCreateKeyW.ADVAPI32 ref: 00007FF72B9022F3
RegCloseKey.ADVAPI32 ref: 00007FF72B902613

Strings

replaceString, xrefs: 00007FF72B902603
fWrapAround, xrefs: 00007FF72B9025AE
iMarginBottom, xrefs: 00007FF72B9024E7
lfEscapement, xrefs: 00007FF72B90231A
lfOutPrecision, xrefs: 00007FF72B9023C0
iPointSize, xrefs: 00007FF72B90243C
lfPitchAndFamily, xrefs: 00007FF72B902408
iWindowPosX, xrefs: 00007FF72B90252D
StatusBar, xrefs: 00007FF72B902473
lfItalic, xrefs: 00007FF72B902360
lfWeight, xrefs: 00007FF72B902348
szHeader, xrefs: 00007FF72B9024A0
Software\Microsoft\Notepad, xrefs: 00007FF72B9022EC
szTrailer, xrefs: 00007FF72B9024BD
lfOrientation, xrefs: 00007FF72B902331
searchString, xrefs: 00007FF72B9025E6
iMarginRight, xrefs: 00007FF72B902515
lfFaceName, xrefs: 00007FF72B902429
iMarginLeft, xrefs: 00007FF72B9024FE
fWrap, xrefs: 00007FF72B90245C
iWindowPosDY, xrefs: 00007FF72B90256D
fReverse, xrefs: 00007FF72B902596
lfStrikeOut, xrefs: 00007FF72B902390
iWindowPosDX, xrefs: 00007FF72B902555
iMarginTop, xrefs: 00007FF72B9024D0
lfQuality, xrefs: 00007FF72B9023F0
lfClipPrecision, xrefs: 00007FF72B9023D8
lfCharSet, xrefs: 00007FF72B9023A8
lfUnderline, xrefs: 00007FF72B902378
iWindowPosY, xrefs: 00007FF72B902541
fMatchCase, xrefs: 00007FF72B9025C6

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AwarenessContextThread$CloseCreatePlacementWindow
String ID: Software\Microsoft\Notepad$StatusBar$fMatchCase$fReverse$fWrap$fWrapAround$iMarginBottom$iMarginLeft$iMarginRight$iMarginTop$iPointSize$iWindowPosDX$iWindowPosDY$iWindowPosX$iWindowPosY$lfCharSet$lfClipPrecision$lfEscapement$lfFaceName$lfItalic$lfOrientation$lfOutPrecision$lfPitchAndFamily$lfQuality$lfStrikeOut$lfUnderline$lfWeight$replaceString$searchString$szHeader$szTrailer
API String ID: 521538346-3265294410
Opcode ID: a39fd6242cfd55ba54230ae784446cc66c86fc58a02d892a5aacb56082e08748
Instruction ID: 3cd10abacf6bcb3eaf4c160d0a5ab976c80f1a2b6c8ce184f9e02477ca6a24aa
Opcode Fuzzy Hash: a39fd6242cfd55ba54230ae784446cc66c86fc58a02d892a5aacb56082e08748
Instruction Fuzzy Hash: 8DC12C21F18623CAEB00AB69DC805B8B731FB85784F955536EA9C17779CF2CA845CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FAA76, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 104threadwindowCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FAA8C
GetDC.USER32 ref: 00007FF72B8FAA93
GetDeviceCaps.GDI32 ref: 00007FF72B8FAAC3
MulDiv.KERNEL32 ref: 00007FF72B8FAAE0
ReleaseDC.USER32 ref: 00007FF72B8FAB09
SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B8FAB19
SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B8FAB3D
SetCursor.USER32 ref: 00007FF72B8FAB58
GetDpiForWindow.USER32 ref: 00007FF72B8FAB6B
MulDiv.KERNEL32 ref: 00007FF72B8FAB7F
CreateFontIndirectW.GDI32 ref: 00007FF72B8FAB96
DeleteObject.GDI32 ref: 00007FF72B8FABB1
SendMessageW.USER32 ref: 00007FF72B8FABD6
SetCursor.USER32 ref: 00007FF72B8FABF2
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FAFC7

Strings

A, xrefs: 00007FF72B8FAAEF

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AwarenessContextCursorThread$CapsCreateDeleteDeviceFontFreeIndirectMessageObjectReleaseSendTaskWindowmemset
String ID: A
API String ID: 548684209-3554254475
Opcode ID: 0d68004bd4d94fc7510ac65ae4bed4df0982b8a26c70f5e2d052b93da25e6da1
Instruction ID: 36d484dd880cc9a46a2d613e0077acaa1f206d7c1abac2f5e09e466818bb7393
Opcode Fuzzy Hash: 0d68004bd4d94fc7510ac65ae4bed4df0982b8a26c70f5e2d052b93da25e6da1
Instruction Fuzzy Hash: 85410835A19A42CBEB00AF59EC90179FAA0FB89B55B859135CE4E53370CF3CA0459B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F22F4, Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF72B8F23D5
GetCurrentThreadId.KERNEL32 ref: 00007FF72B8F2457

Part of subcall function 00007FF72B8F2270: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF72B8F22A8

Strings

FailFast, xrefs: 00007FF72B8F2385
Msg:[%ws] , xrefs: 00007FF72B8F24C2
ReturnHr, xrefs: 00007FF72B8F2397
Exception, xrefs: 00007FF72B8F23A0
LogHr, xrefs: 00007FF72B8F238E
(caller: %p) , xrefs: 00007FF72B8F243F
%hs!%p: , xrefs: 00007FF72B8F241F
[%hs(%hs)], xrefs: 00007FF72B8F2504
%hs(%d) tid(%x) %08X %ws, xrefs: 00007FF72B8F2470
CallContext:[%hs] , xrefs: 00007FF72B8F24DD
, xrefs: 00007FF72B8F24A7
%hs(%u)\%hs!%p: , xrefs: 00007FF72B8F2401
[%hs], xrefs: 00007FF72B8F251D

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CurrentFormatMessageThread_vsnwprintf
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 223436642-3173542853
Opcode ID: 3fb487f89ca74a7dc530ef6f83c69a2a831ef2433d62587c9e97bb2845fa7921
Instruction ID: eed93d6920499cf5cfec57514ee5a4f3ae8648a60f953edd9ec0c3753374e962
Opcode Fuzzy Hash: 3fb487f89ca74a7dc530ef6f83c69a2a831ef2433d62587c9e97bb2845fa7921
Instruction Fuzzy Hash: B8619361A18642CAEA64EF59AC405B9E3A0FF58784FC05136EA8D03774CF3CF565CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9150C8, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 240sleepmemoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF72B915112
LocalAlloc.KERNEL32 ref: 00007FF72B915145
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF72B915160
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF72B915190
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00007FF72B9151AA
_o_toupper.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF72B915265
EtwEventRegister.NTDLL ref: 00007FF72B9152B3
EventProviderEnabled.API-MS-WIN-EVENTING-PROVIDER-L1-1-0 ref: 00007FF72B9152C6
EtwEventUnregister.NTDLL ref: 00007FF72B9152DD
EtwEventUnregister.NTDLL ref: 00007FF72B9152F7
EtwEventUnregister.NTDLL ref: 00007FF72B91547F
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72B915499
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF72B9154B0

Strings

<unknown>, xrefs: 00007FF72B9153CE

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Event$CountTickUnregister$ExclusiveLock$AcquireAllocEnabledLocalProviderRegisterReleaseSleep_o_toupper
String ID: <unknown>
API String ID: 1911282264-1574992787
Opcode ID: 8ee791aab1a67b0aa0088a650e2a6889b8d3a318a1b62011811feebebf0b1adf
Instruction ID: f790783103f95cd991f2c23af519793bb5545695dbcbf49f3b0f7297cee05c3b
Opcode Fuzzy Hash: 8ee791aab1a67b0aa0088a650e2a6889b8d3a318a1b62011811feebebf0b1adf
Instruction Fuzzy Hash: F5C16E32A28B41CEE700AF28E8803A9B7A4FB89754F965135DA8E03764DF3DD444CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F805C, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 186memoryCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32 ref: 00007FF72B8F80AC
GetLastError.KERNEL32 ref: 00007FF72B8F80F7
SetLastError.KERNEL32 ref: 00007FF72B8F811B
GetProcessHeap.KERNEL32 ref: 00007FF72B8F8148
HeapFree.KERNEL32 ref: 00007FF72B8F815C
GetProcessHeap.KERNEL32 ref: 00007FF72B8F81A3
HeapFree.KERNEL32 ref: 00007FF72B8F81B7

Strings

onecore\internal\sdk\inc\wil\opensource\wil\resource.h, xrefs: 00007FF72B8F81F5

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess$ObjectSingleWait
String ID: onecore\internal\sdk\inc\wil\opensource\wil\resource.h
API String ID: 1185803644-3341287125
Opcode ID: da69949bd2cacdce48efdcf9907536830b3dc8794d117ea6e67be8b1c9ffa746
Instruction ID: 308b8708d1d55c12a9c6dab6faf34848d1a986bb55ed09f9f3c78515f30fcb7b
Opcode Fuzzy Hash: da69949bd2cacdce48efdcf9907536830b3dc8794d117ea6e67be8b1c9ffa746
Instruction Fuzzy Hash: 67715522A09A42CAEB14AF69AC40279F7A0FF95B50FD88131DA4D47761DF3CF4619B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FD610, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF72B8FD668
GetDlgItemTextW.USER32 ref: 00007FF72B8FD68C
FoldStringW.KERNEL32 ref: 00007FF72B8FD6B3
_o__wtol.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF72B8FD6C4
SendMessageW.USER32 ref: 00007FF72B8FD6E9
MessageBoxW.USER32 ref: 00007FF72B8FD71E
SendMessageW.USER32 ref: 00007FF72B8FD73C
SetDlgItemTextW.USER32 ref: 00007FF72B8FD76E
SetFocus.USER32 ref: 00007FF72B8FD77D
SendMessageW.USER32 ref: 00007FF72B8FD7A6
SendMessageW.USER32 ref: 00007FF72B8FD7C6
SetDlgItemTextW.USER32 ref: 00007FF72B8FD7F9
SetFocus.USER32 ref: 00007FF72B8FD808

Strings

d, xrefs: 00007FF72B8FD69D

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Message$Send$ItemText$Focus$DialogFoldString_o__wtol
String ID: d
API String ID: 1997187840-2564639436
Opcode ID: 791655032cd52fe6def4c1b808f69328366bac51a57584ad916e6ed8ee19a228
Instruction ID: 53fb131651b935e0efcf2f0019d2df4359eaab41e7b255edac1687dda67dcbdf
Opcode Fuzzy Hash: 791655032cd52fe6def4c1b808f69328366bac51a57584ad916e6ed8ee19a228
Instruction Fuzzy Hash: BA517131A18642CBE710AB18EC046B9BB60FBDA701FD5A131CA8E077A4DF3CE4459F60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90E768, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF72B90E7AA
SendMessageW.USER32 ref: 00007FF72B90E7C6
SendMessageW.USER32 ref: 00007FF72B90E7F4
LocalLock.KERNEL32 ref: 00007FF72B90E80F
GetWindowTextLengthW.USER32 ref: 00007FF72B90E882
GetWindowTextLengthW.USER32 ref: 00007FF72B90E8C0

Part of subcall function 00007FF72B90E6F0: FindNLSString.KERNEL32 ref: 00007FF72B90E730

LocalUnlock.KERNEL32 ref: 00007FF72B90E921
SetCursor.USER32 ref: 00007FF72B90E946
SetCursor.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B8FA875), ref: 00007FF72B90E98F

Strings

@, xrefs: 00007FF72B90E978

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: MessageSend$CursorLengthLocalTextWindow$FindLockStringUnlock
String ID: @
API String ID: 1480118076-2766056989
Opcode ID: a635ee15a58c34f85256e70f94a93ae0536d5eab8639af8fb064959b65c43efc
Instruction ID: c54cb68cdd57032e3b245e59aa64b6d4caf6903a27ff2a759e20728bb63563d6
Opcode Fuzzy Hash: a635ee15a58c34f85256e70f94a93ae0536d5eab8639af8fb064959b65c43efc
Instruction Fuzzy Hash: 2E718131E18A42CAEB10AF19EC501B9B7A4FF89B44F895535DA8E43774DF3CE4458B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90313C, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 124filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B902C54: CharUpperW.USER32 ref: 00007FF72B902C77
Part of subcall function 00007FF72B902C54: CharUpperW.USER32 ref: 00007FF72B902C8D

GetSystemMenu.USER32 ref: 00007FF72B903184
LoadAcceleratorsW.USER32 ref: 00007FF72B9031A5
SetWindowLongW.USER32 ref: 00007FF72B9031C8
CreateFileW.KERNEL32(?,?,?,?,?,?,00007FF72B8FC29E), ref: 00007FF72B903225
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF72B8FC29E), ref: 00007FF72B903242
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,00007FF72B8FC29E), ref: 00007FF72B9032FE

Part of subcall function 00007FF72B8FD3C8: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FD403
Part of subcall function 00007FF72B8FD3C8: LocalAlloc.KERNEL32 ref: 00007FF72B8FD440
Part of subcall function 00007FF72B8FD3C8: MessageBoxW.USER32 ref: 00007FF72B8FD4E1
Part of subcall function 00007FF72B8FD3C8: LocalFree.KERNEL32 ref: 00007FF72B8FD4F2

CreateFileW.KERNEL32(?,?,?,?,?,?,00007FF72B8FC29E), ref: 00007FF72B9032D8

Strings

/.SETUP, xrefs: 00007FF72B90315B
3, xrefs: 00007FF72B9032A0
SlipUpAcc, xrefs: 00007FF72B903197

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CharCreateFileFreeLocalUpper$AcceleratorsAllocErrorLastLoadLongMenuMessageSystemTaskWindowwcsnlen
String ID: /.SETUP$3$SlipUpAcc
API String ID: 1676377551-1567928811
Opcode ID: 1a1a4fc042810b346b03a9f74f25a05da530b0beb62227f0349f079ccdd146cf
Instruction ID: 21c6a037c5c51e2c9a707d0f4370db7d50e0c810b82c3fe2ff009072a4d2d058
Opcode Fuzzy Hash: 1a1a4fc042810b346b03a9f74f25a05da530b0beb62227f0349f079ccdd146cf
Instruction Fuzzy Hash: 62515D31D0CA02CAE710AB19AC80179BBA0FB89794FC48A35DA8D477B4CF3CE4419F60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F8304, Relevance: 18.1, APIs: 12, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF72B8F833A
GetLastError.KERNEL32 ref: 00007FF72B8F8322

Part of subcall function 00007FF72B8F84B8: SetThreadpoolTimer.KERNEL32(?,?,?,00007FF72B8F82E8), ref: 00007FF72B8F84C9
Part of subcall function 00007FF72B8F84B8: WaitForThreadpoolTimerCallbacks.KERNEL32(?,?,?,00007FF72B8F82E8), ref: 00007FF72B8F84DD

GetLastError.KERNEL32 ref: 00007FF72B8F8354
SetLastError.KERNEL32 ref: 00007FF72B8F836C
GetProcessHeap.KERNEL32 ref: 00007FF72B8F8391
HeapFree.KERNEL32 ref: 00007FF72B8F83A5
GetProcessHeap.KERNEL32 ref: 00007FF72B8F83C6
HeapFree.KERNEL32 ref: 00007FF72B8F83DA
DeleteCriticalSection.KERNEL32 ref: 00007FF72B8F83E9
GetProcessHeap.KERNEL32 ref: 00007FF72B8F8409
HeapFree.KERNEL32 ref: 00007FF72B8F841D
DeleteCriticalSection.KERNEL32 ref: 00007FF72B8F842D

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Heap$ErrorLast$FreeProcess$CriticalDeleteSectionThreadpoolTimer$CallbacksWait
String ID:
API String ID: 3162582620-0
Opcode ID: 62260a71dc7dbe7e741077152bc767b8f2433958c879216440b9ae0c7a72b7ee
Instruction ID: aac9f9a1d137a14233c8b4dd65752ade9d7bff923cb3cd7e6df5d5bef247e911
Opcode Fuzzy Hash: 62260a71dc7dbe7e741077152bc767b8f2433958c879216440b9ae0c7a72b7ee
Instruction Fuzzy Hash: 35413D21B05A41DBEB09AB659950378EB60FF99F81FC89134CA0E17B61CF3CF4619B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FA110, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 249threadwindowfileCOMMON

Download Yara Rule

APIs

SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B8FA15A

Part of subcall function 00007FF72B910544: SetCursor.USER32 ref: 00007FF72B910568
Part of subcall function 00007FF72B910544: SetCursor.USER32 ref: 00007FF72B91059C

SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B8FA173
MessageBoxW.USER32 ref: 00007FF72B8FA30C
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FA3A0
CreateFileW.KERNEL32 ref: 00007FF72B8FA444
MessageBoxW.USER32 ref: 00007FF72B8FA4EA
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FA504
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FAFC7

Strings

*.txt, xrefs: 00007FF72B8FA289

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: FreeTask$AwarenessContextCursorMessageThread$CreateFile
String ID: *.txt
API String ID: 1452784593-4006125282
Opcode ID: cac5249f4c9052c3664b7dd738064fe643d34b03741e7a4438416d59feb5b531
Instruction ID: a2d84004074f4f37870971a9624c591cb2c78c32195ec9893d77783caa9ebdc6
Opcode Fuzzy Hash: cac5249f4c9052c3664b7dd738064fe643d34b03741e7a4438416d59feb5b531
Instruction Fuzzy Hash: ACC15926E0C643CAEA10BB28AC401B9E7A0FFA5794FC54135D99D476B1DE3CF4558FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FB320, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8FB2C0: SendMessageW.USER32(?,?,?,?,00007FF72B8FB35C), ref: 00007FF72B8FB2DE
Part of subcall function 00007FF72B8FB2C0: SendMessageW.USER32(?,?,?,?,00007FF72B8FB35C), ref: 00007FF72B8FB301

SHStrDupW.API-MS-WIN-SHCORE-OBSOLETE-L1-1-0 ref: 00007FF72B8FB3FE
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FB459
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FB536

Strings

*.txt, xrefs: 00007FF72B8FB3EA

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: MessageSend$FreeTaskmemset
String ID: *.txt
API String ID: 3329309475-4006125282
Opcode ID: d0675baab160861ef060521cd6e32b0cffc033986fa3b0c312438cf8429070ea
Instruction ID: be245bd329c20b896766b9cfe5696241bebed7e657a632a10804072185272858
Opcode Fuzzy Hash: d0675baab160861ef060521cd6e32b0cffc033986fa3b0c312438cf8429070ea
Instruction Fuzzy Hash: E0717D22A08A42C6EA10AF19EC805B9F7A0FF99B84FC55135DA8E43775DF3CE5458F60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B913584, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B9135D4
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B9135EE
WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B913607
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B91366E
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B913696
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF72B9136D2
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B913761

Strings

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF72B91361D, 00007FF72B9136EC
Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF72B91368F

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: StringWindows$Delete$Create$ActivationFactoryReference
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 3735519776-1088074545
Opcode ID: 06625141e27b5d7a36cdedd879e2a11db8c6fce2c7bf99dd99a0b1cd264d1ef9
Instruction ID: 2bbc32b687616176d46e993b578a7fcb693443dcbc93ddfdae4b9efc6f26afbf
Opcode Fuzzy Hash: 06625141e27b5d7a36cdedd879e2a11db8c6fce2c7bf99dd99a0b1cd264d1ef9
Instruction Fuzzy Hash: B0515F36B28A46DDEB00AB69EC400ACB770FB88B94B959132CE8E57774CF38D405D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F32D8, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF72B8F32EA

Strings

wil, xrefs: 00007FF72B8F3305, 00007FF72B8F3435

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: 4ee86bbd529652bca52049444ff4daebd2e8eb897cfad94c258fc3d89aa31029
Instruction ID: 4e06306625904e3c9dd8332dafc300da7aabd80b937ee945e6c75c9033281020
Opcode Fuzzy Hash: 4ee86bbd529652bca52049444ff4daebd2e8eb897cfad94c258fc3d89aa31029
Instruction Fuzzy Hash: 59417E71A18542C7F320AB29EC40279E6A1EFA5750FE4D131D94E83AB4CF3CF8559EA1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90F068, Relevance: 15.1, APIs: 10, Instructions: 112COMMON

Download Yara Rule

APIs

wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B90F0E5
TextOutW.GDI32 ref: 00007FF72B90F108
wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B90F12F
GetTextExtentPoint32W.GDI32 ref: 00007FF72B90F149
wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B90F17F
TextOutW.GDI32 ref: 00007FF72B90F19A
wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B90F1BD
GetTextExtentPoint32W.GDI32 ref: 00007FF72B90F1D7
wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B90F1F9
TextOutW.GDI32 ref: 00007FF72B90F214

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Textwcsnlen$ExtentPoint32
String ID:
API String ID: 4145614311-0
Opcode ID: 86b20bf711ad77287d50001263b16c96d834eae36ebb030179c11d5782889687
Instruction ID: 255f40a82510fc77cf794a888bb6a05d9923b751461b502f39c004ee98898d0e
Opcode Fuzzy Hash: 86b20bf711ad77287d50001263b16c96d834eae36ebb030179c11d5782889687
Instruction Fuzzy Hash: 5E511835A18642CFE610AF29EC44579FBA1FB99B84B869531D98E43B34CF3CE1498B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9019D4, Relevance: 15.1, APIs: 10, Instructions: 95windowmemoryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF72B901A14
GetLastError.KERNEL32 ref: 00007FF72B901A36
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B901A47
SetLastError.KERNEL32 ref: 00007FF72B901A55
SendMessageW.USER32 ref: 00007FF72B901A81
SendMessageW.USER32 ref: 00007FF72B901A9F
LocalReAlloc.KERNEL32 ref: 00007FF72B901ABA
LocalLock.KERNEL32 ref: 00007FF72B901ADB
LocalUnlock.KERNEL32 ref: 00007FF72B901AF6
SendMessageW.USER32 ref: 00007FF72B901B18

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: MessageSend$Local$ErrorLast$AllocFreeLockTaskUnlock
String ID:
API String ID: 1218993353-0
Opcode ID: d3ac5847a9cd668c2f3b2d5a8124951d485e6b8d954f64244d2d59991ca134cc
Instruction ID: af2b2899d7b8ee24cd5b3ea0ae25c7774dc1b77cfd5c2257683bc3cbf48065ed
Opcode Fuzzy Hash: d3ac5847a9cd668c2f3b2d5a8124951d485e6b8d954f64244d2d59991ca134cc
Instruction Fuzzy Hash: 6A410835E18B42CBE700AB68AC51675BBA0EF99B41F869135DA8E03771CE3CE4449F60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B914120, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B9141CA
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B914200
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B914215
CompareStringOrdinal.KERNEL32 ref: 00007FF72B914236
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B91424B
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B9142AB
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B9142F6

Strings

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF72B91415F, 00007FF72B9142DE

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: String$Windows$Delete$Buffer$CompareOrdinal
String ID: shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 3050908022-1113416246
Opcode ID: 1ac93d61013a0de25a254a2ce7438a4d1fd1909c8479bdd75e3fc2e6e35afc6f
Instruction ID: f1088fa9ac11a718a590f90b8ba51c9c31d6b94d1135ba592d53cbafa51a1862
Opcode Fuzzy Hash: 1ac93d61013a0de25a254a2ce7438a4d1fd1909c8479bdd75e3fc2e6e35afc6f
Instruction Fuzzy Hash: 9B512B32624A46CEEB14AF29DC841ACB760FBC9B88B946131EE4E57774CF38D445EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F30FC, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

CreateSemaphoreExW.KERNEL32 ref: 00007FF72B8F3195
GetLastError.KERNEL32 ref: 00007FF72B8F31B1

Part of subcall function 00007FF72B8F3040: FindCloseChangeNotification.KERNELBASE ref: 00007FF72B8F3010

SetLastError.KERNEL32 ref: 00007FF72B8F31C9
CreateSemaphoreExW.KERNEL32 ref: 00007FF72B8F323B
GetLastError.KERNEL32 ref: 00007FF72B8F3258
SetLastError.KERNEL32 ref: 00007FF72B8F3270

Strings

_p0, xrefs: 00007FF72B8F3151
wil, xrefs: 00007FF72B8F31F4

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ErrorLast$CreateSemaphore$ChangeCloseFindNotification
String ID: _p0$wil
API String ID: 17413022-1814513734
Opcode ID: 15439db9aecac90577134df4d83e766dd0a56c984ae96890dbcae9cfe25c0142
Instruction ID: 81bb8da8242c021b79f9fbf372b73355c49f4b6be10f75a8a23d0b03bba3b180
Opcode Fuzzy Hash: 15439db9aecac90577134df4d83e766dd0a56c984ae96890dbcae9cfe25c0142
Instruction Fuzzy Hash: E141A021B18B42CAE710BF69A8942B9F650FB98B51FC49035EE8E07761CF3CF4558B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90164E, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 110windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8FD3C8: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FD403
Part of subcall function 00007FF72B8FD3C8: LocalAlloc.KERNEL32 ref: 00007FF72B8FD440
Part of subcall function 00007FF72B8FD3C8: MessageBoxW.USER32 ref: 00007FF72B8FD4E1
Part of subcall function 00007FF72B8FD3C8: LocalFree.KERNEL32 ref: 00007FF72B8FD4F2

UnmapViewOfFile.KERNEL32 ref: 00007FF72B9016A0
LocalUnlock.KERNEL32 ref: 00007FF72B901721
SendMessageW.USER32 ref: 00007FF72B901756
SendMessageW.USER32 ref: 00007FF72B9017A3
SetCursor.USER32 ref: 00007FF72B9017BF
SendMessageW.USER32 ref: 00007FF72B90180F

Strings

0, xrefs: 00007FF72B9017D1
0, xrefs: 00007FF72B90164E

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Message$LocalSend$AllocCursorFileFreeUnlockUnmapViewwcsnlen
String ID: 0$0
API String ID: 2825476163-203156872
Opcode ID: 8fa81f48bb8d6d9f1be5de176776439d72159b3c7b50505ac209e22e07e7363c
Instruction ID: 7ebd60febeb3848665d8457e1155b0dc863d092b266e648611084151c578a589
Opcode Fuzzy Hash: 8fa81f48bb8d6d9f1be5de176776439d72159b3c7b50505ac209e22e07e7363c
Instruction Fuzzy Hash: A8516E26D08692C6EB51AB19EC1027AB7A4FF85B40FC69132DA8D03371CF7CE5858F60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9132F8, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B8FAE9C), ref: 00007FF72B91333F
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72B8FAE9C), ref: 00007FF72B91337B

Strings

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF72B913391, 00007FF72B9133CD, 00007FF72B913409, 00007FF72B91344B, 00007FF72B913498
Windows.ApplicationModel.DataTransfer.Clipboard, xrefs: 00007FF72B913331

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.ApplicationModel.DataTransfer.Clipboard$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 1966789792-3637659222
Opcode ID: f424c9abce4143103481942801846a9f67e458941c05e398d7742467aacb8480
Instruction ID: 401a1646371d99ec79a54486bdbe4e322160d76302a1e25842a9984f1de06809
Opcode Fuzzy Hash: f424c9abce4143103481942801846a9f67e458941c05e398d7742467aacb8480
Instruction Fuzzy Hash: 00710B36B28B16D9EB00EB69EC400AC7774FB88B88B909032DE8E57B64DF38D445D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90336C, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B902C54: CharUpperW.USER32 ref: 00007FF72B902C77
Part of subcall function 00007FF72B902C54: CharUpperW.USER32 ref: 00007FF72B902C8D

ShowWindow.USER32 ref: 00007FF72B903401
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B903458

Strings

/PT, xrefs: 00007FF72B90338B
0, xrefs: 00007FF72B903555

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CharUpper$FreeShowTaskWindow
String ID: /PT$0
API String ID: 4259454098-4063893260
Opcode ID: 58566343a5c4559178d06821d97cad775fe8e1525aa111208a6da53a7a63a4a1
Instruction ID: 7ace3bf15540bef96243deb1ab54aae57c9c0df6de6d666023993ff020ae513a
Opcode Fuzzy Hash: 58566343a5c4559178d06821d97cad775fe8e1525aa111208a6da53a7a63a4a1
Instruction Fuzzy Hash: EE514D62E1C652C6EB50BB1DA8502B9F690EF88B50FD48931DACE476B1DF3CE4419E20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B901C70, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B901CCD
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B901D84
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF72B901DA9
CloseHandle.KERNEL32 ref: 00007FF72B901E57
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B901E91

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF72B901D7D
0, xrefs: 00007FF72B901E43

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ActivationCloseCreateFactoryFreeHandleReferenceStringTaskWindowsmemset
String ID: 0$Windows.Security.EnterpriseData.ProtectionPolicyManager
API String ID: 1025271488-297563236
Opcode ID: 1815e913017c5b10e38db30a100b821f9e16eeac015e67d1f05c570171450124
Instruction ID: bab0e7d6df03118b90aa54b6f96fb61677d4a24d1dd309cfa45e3c9f74486956
Opcode Fuzzy Hash: 1815e913017c5b10e38db30a100b821f9e16eeac015e67d1f05c570171450124
Instruction Fuzzy Hash: 9D615232A28A52C6E710AB18DC543BDB760FB94794F915136EA8D436B4DF3CE484CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F9850, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 117threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8FFBB0: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00007FF72B8F98A0), ref: 00007FF72B8FFC2D

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8F98BC

Part of subcall function 00007FF72B8F21F0: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF72B8F2230

SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B8F9984
SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B8F99CD
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8F9A1D

Strings

*.txt, xrefs: 00007FF72B8F98C8
%s%c*.txt%c%s%c*.*%c, xrefs: 00007FF72B8F98FD
txt, xrefs: 00007FF72B8F9949

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AwarenessContextTaskThread$AllocFree_vsnwprintfmemset
String ID: %s%c*.txt%c%s%c*.*%c$*.txt$txt
API String ID: 2351153411-3032785013
Opcode ID: 349e908ef4443145f78ddaa6866d9a6adf1f0618bcc9839a4f6fafb0289827c4
Instruction ID: b781752819161e72f20512885539ccd05071d4b9db37d3fa4af6d851a8559c7d
Opcode Fuzzy Hash: 349e908ef4443145f78ddaa6866d9a6adf1f0618bcc9839a4f6fafb0289827c4
Instruction Fuzzy Hash: 7E514832A18B42CAEB10EB59EC403A9B7A4FB98B54FC54135DA8D477A4DF3CE055CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B900DC8, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PathFindExtensionW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF72B900DDE
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF72B900DFD
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B900E59

Strings

test/log, xrefs: 00007FF72B900E70
Unknown, xrefs: 00007FF72B900E79
FAIL/Error, xrefs: 00007FF72B900E67
.log, xrefs: 00007FF72B900DF3

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExtensionFindFreePathTask_o__wcsicmp
String ID: .log$FAIL/Error$Unknown$test/log
API String ID: 2494169980-2209339843
Opcode ID: 08917038e2a224ed25ee7584d64dde88f1fceca0b809603fb4b7886e7937b1b8
Instruction ID: 42e50517a79ff3d4836e996cbd46b08a29ac5db514ff0e1a2130a655aafc6ed6
Opcode Fuzzy Hash: 08917038e2a224ed25ee7584d64dde88f1fceca0b809603fb4b7886e7937b1b8
Instruction Fuzzy Hash: E4114F72A18746CAE710AB15E8443BAFA61FB85790FC45035EA8D02664CF3CE444CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B91084C, Relevance: 12.1, APIs: 8, Instructions: 117windowmemoryCOMMON

Download Yara Rule

APIs

wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,00000001,00000000,00000000,00000000,00007FF72B91079E,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B910889
GlobalAlloc.KERNEL32(?,00000001,00000000,00000000,00000000,00007FF72B91079E,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B9108C6
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000001,00000000,00000000,00000000,00007FF72B91079E,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B910945
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000001,00000000,00000000,00000000,00007FF72B91079E,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B91095A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00000001,00000000,00000000,00000000,00007FF72B91079E,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B9109A3
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF72B91079E,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B9109BA
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF72B91079E,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B9109DB
GlobalFree.KERNEL32 ref: 00007FF72B9109EA

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: memcpy$GlobalMessageSend$AllocFreewcsnlen
String ID:
API String ID: 1997934235-0
Opcode ID: 78fcb64e1144e1fd77dfd00335271e420b2a6e458c17db2f54b4af874089e1fc
Instruction ID: 54813f4978833fda596cd12550f9518eddfc0b0cda9c19ed90b4ed0c692e2b6c
Opcode Fuzzy Hash: 78fcb64e1144e1fd77dfd00335271e420b2a6e458c17db2f54b4af874089e1fc
Instruction Fuzzy Hash: 00419631718A82CFEA10AF1AAC452AAEB90FBC9BD4F845035DECD47B55DE3DE4059B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FD83C, Relevance: 12.1, APIs: 8, Instructions: 106windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32 ref: 00007FF72B8FD877
SendDlgItemMessageW.USER32 ref: 00007FF72B8FD89A
SendDlgItemMessageW.USER32 ref: 00007FF72B8FD8BD
SendDlgItemMessageW.USER32 ref: 00007FF72B8FD8E0
SendDlgItemMessageW.USER32 ref: 00007FF72B8FD903
SendDlgItemMessageW.USER32 ref: 00007FF72B8FD9A0
SendDlgItemMessageW.USER32 ref: 00007FF72B8FD9C0
SendDlgItemMessageW.USER32 ref: 00007FF72B8FD9E4

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: 0adb29e50f697d931382218fd850552aa829a59bb512d2abb2ee7c78866c6dba
Instruction ID: a38c123d22c9d847e417171e71f1b0cfccec863b49ebb3047e3c0e0d138a45c5
Opcode Fuzzy Hash: 0adb29e50f697d931382218fd850552aa829a59bb512d2abb2ee7c78866c6dba
Instruction Fuzzy Hash: BF416031B18B81C6E7209F19BC40A69BBA0FBD9B94F859235DA8D43B64CF3CE0458B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B910A1C, Relevance: 12.1, APIs: 8, Instructions: 93windowCOMMON

Download Yara Rule

APIs

wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0(?,00000001,00000000,00000000,00000000,00007FF72B9107C0,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B910A49
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF72B9107C0,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B910A6E
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF72B9107C0,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B910A8C
LocalLock.KERNEL32(?,00000001,00000000,00000000,00000000,00007FF72B9107C0,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B910AA7
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF72B9107C0,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B910B1E
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF72B9107C0,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B910B41
SendMessageW.USER32(?,00000001,00000000,00000000,00000000,00007FF72B9107C0,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B910B64
LocalUnlock.KERNEL32(?,00000001,00000000,00000000,00000000,00007FF72B9107C0,?,?,?,00000001,00000000,00007FF72B8FBD20), ref: 00007FF72B910B75

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: MessageSend$Local$LockUnlockwcsnlen
String ID:
API String ID: 3687776761-0
Opcode ID: a92c930151c535ffecf25aeab5c35b4b4b7cbdef28793b336ddaac6d5b7b45c1
Instruction ID: fc76d8ea0421777e9f9c7d978f3046750d94b36556953692b3ae74402b09116f
Opcode Fuzzy Hash: a92c930151c535ffecf25aeab5c35b4b4b7cbdef28793b336ddaac6d5b7b45c1
Instruction Fuzzy Hash: 5B415B35A19642CBEA00AB18E84067AFBA0FBC9795F859131DE8D43B74CE3CE4459F20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B911704, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

_vscwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF72B911733

Part of subcall function 00007FF72B916DE0: _o___stdio_common_vswprintf.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF72B916E0F

Part of subcall function 00007FF72B8FFBB0: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00007FF72B8F98A0), ref: 00007FF72B8FFC2D

_vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF72B9117EC
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(00000000,?,?,00000000,00000002,00000000,000F003F,?,00007FF72B910E0A), ref: 00007FF72B91184C
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(00000000,?,?,00000000,00000002,00000000,000F003F,?,00007FF72B910E0A), ref: 00007FF72B911775

Part of subcall function 00007FF72B8FDCD8: GetLastError.KERNEL32 ref: 00007FF72B8FDD02
Part of subcall function 00007FF72B8FDCD8: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FDD13
Part of subcall function 00007FF72B8FDCD8: SetLastError.KERNEL32 ref: 00007FF72B8FDD21

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(00000000,?,?,00000000,00000002,00000000,000F003F,?,00007FF72B910E0A), ref: 00007FF72B91187F

Strings

onecore\internal\sdk\inc\wil\opensource\wil\resource.h, xrefs: 00007FF72B91178A, 00007FF72B911835

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Task$Free$ErrorLast$Alloc_o___stdio_common_vswprintf_vscwprintf_vsnwprintf
String ID: onecore\internal\sdk\inc\wil\opensource\wil\resource.h
API String ID: 3516882015-3341287125
Opcode ID: 312cbff025d18e022040c37755ba7b8cba62d550ad93bb1a6ac664d99372c52f
Instruction ID: 303fd3a41c7de0178bba4aa63ebfa59d5dac20a1a2810bfd5fc8fd95edaaeee4
Opcode Fuzzy Hash: 312cbff025d18e022040c37755ba7b8cba62d550ad93bb1a6ac664d99372c52f
Instruction Fuzzy Hash: 4441D226F24622E9EB11BB159C000BDA660EFC47A4FD8A131DE5D177A0DF3CE492DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F7B6C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32 ref: 00007FF72B8F7BBE
GetLastError.KERNEL32 ref: 00007FF72B8F7C04
SetLastError.KERNEL32 ref: 00007FF72B8F7C1C
GetProcessHeap.KERNEL32 ref: 00007FF72B8F7C5D
HeapFree.KERNEL32 ref: 00007FF72B8F7C71

Strings

onecore\internal\sdk\inc\wil\opensource\wil\resource.h, xrefs: 00007FF72B8F7D1E

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ErrorHeapLast$FreeObjectProcessSingleWait
String ID: onecore\internal\sdk\inc\wil\opensource\wil\resource.h
API String ID: 453756160-3341287125
Opcode ID: b9de2dd6f2057d753dd07eadf59561444939490f20701e74ddb828d5e544b189
Instruction ID: aa4754a06d268082238614b49451504fb54f03e310f2066bbde817a58460123e
Opcode Fuzzy Hash: b9de2dd6f2057d753dd07eadf59561444939490f20701e74ddb828d5e544b189
Instruction Fuzzy Hash: 97518635A0864296FA60BB29DC442B9F790FFA5740FC44531DA8E426B1DF3CF554CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F9BC0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8FFBB0: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00007FF72B8F98A0), ref: 00007FF72B8FFC2D

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8F9C2E

Part of subcall function 00007FF72B8F21F0: _vsnwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF72B8F2230

SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B8F9CF9
SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B8F9D4F
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8F9D83

Strings

%s%c*.txt%c%s%c*.*%c, xrefs: 00007FF72B8F9C70
txt, xrefs: 00007FF72B8F9CD4

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AwarenessContextTaskThread$AllocFree_vsnwprintfmemset
String ID: %s%c*.txt%c%s%c*.*%c$txt
API String ID: 2351153411-81093622
Opcode ID: d8023eb52343553a80af9855a4d76899e2fa53e77e7dc4b2ccf917f24767a52d
Instruction ID: 54c245afa8d6d3a0e31a00369dacbb63e5ffbad47da7d98bb295b78a9d14a089
Opcode Fuzzy Hash: d8023eb52343553a80af9855a4d76899e2fa53e77e7dc4b2ccf917f24767a52d
Instruction Fuzzy Hash: 1A515B32A19B42CAE700EF19EC403A9B7A4FB99B54F954135DA8D077A4DF3CE115CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F6D80, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 111memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8F6E79
GetProcAddress.KERNEL32 ref: 00007FF72B8F6E96
GetProcessHeap.KERNEL32 ref: 00007FF72B8F6EFE
HeapFree.KERNEL32 ref: 00007FF72B8F6F12

Strings

RtlNotifyFeatureUsage, xrefs: 00007FF72B8F6E8C
ntdll.dll, xrefs: 00007FF72B8F6E72

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Heap$AddressFreeHandleModuleProcProcess
String ID: RtlNotifyFeatureUsage$ntdll.dll
API String ID: 3729415315-2443152447
Opcode ID: 65e9f402a284b7b318187300b87fdd6f017aae09a3d9a1bef9bc618029b1c789
Instruction ID: 80490934f674f4afcba97c9ea362b99c347944bde7312336092990678baaae60
Opcode Fuzzy Hash: 65e9f402a284b7b318187300b87fdd6f017aae09a3d9a1bef9bc618029b1c789
Instruction Fuzzy Hash: 93418D21E1A64386FA60AB19EC40379E2A1EFA4B00FC44235D98D476B1DF2CF455DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F6504, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF72B8F653C
GetModuleHandleW.KERNEL32 ref: 00007FF72B8F6575
GetProcAddress.KERNEL32 ref: 00007FF72B8F6592
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF72B8F6617

Strings

RtlRegisterFeatureConfigurationChangeNotification, xrefs: 00007FF72B8F6588
ntdll.dll, xrefs: 00007FF72B8F656E

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireAddressHandleModuleProcRelease
String ID: RtlRegisterFeatureConfigurationChangeNotification$ntdll.dll
API String ID: 303310891-4023217342
Opcode ID: 0e76a87a3097591dc206d2412d72bae637e9f77d0bdd4f39113b0d76c6aab5ac
Instruction ID: f3b75c63403b958165edfdf49556683aa63b00c9df282fe340cc533d3c7443bd
Opcode Fuzzy Hash: 0e76a87a3097591dc206d2412d72bae637e9f77d0bdd4f39113b0d76c6aab5ac
Instruction Fuzzy Hash: 24315961A08B02CAEA10AF19EC403B9A7A0FB69B84FC49131DE4D57764DF3CF556CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F6A18, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8F3DF4: GetModuleHandleW.KERNEL32 ref: 00007FF72B8F3E23
Part of subcall function 00007FF72B8F3DF4: GetProcAddress.KERNEL32 ref: 00007FF72B8F3E40

GetLastError.KERNEL32 ref: 00007FF72B8F6A83

Part of subcall function 00007FF72B8F4C7C: GetModuleHandleW.KERNEL32 ref: 00007FF72B8F4CA4
Part of subcall function 00007FF72B8F4C7C: GetProcAddress.KERNEL32 ref: 00007FF72B8F4CC1

SetLastError.KERNEL32 ref: 00007FF72B8F6A9B
GetModuleHandleW.KERNEL32 ref: 00007FF72B8F6ACA
GetProcAddress.KERNEL32 ref: 00007FF72B8F6AE7

Strings

ntdll.dll, xrefs: 00007FF72B8F6AC3
RtlSubscribeWnfStateChangeNotification, xrefs: 00007FF72B8F6ADD

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AddressHandleModuleProc$ErrorLast
String ID: RtlSubscribeWnfStateChangeNotification$ntdll.dll
API String ID: 798792539-2214456325
Opcode ID: c4a15f7a3caf167a17fd10fa7e5ad88768ae1a047e1621a6ad3b7e24851d4a66
Instruction ID: 6a65d487e43908f54a9d03526b898702eec3b10dc829442d65363ae25ad6176b
Opcode Fuzzy Hash: c4a15f7a3caf167a17fd10fa7e5ad88768ae1a047e1621a6ad3b7e24851d4a66
Instruction Fuzzy Hash: D7319E32A19B41CAEB01AF19E8443B9B7A0FB88B95FC54235DA8D07360DF3CE455CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90EF20, Relevance: 10.6, APIs: 7, Instructions: 77windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 00007FF72B90EF64
EnableWindow.USER32 ref: 00007FF72B90EF86
DestroyWindow.USER32 ref: 00007FF72B90EF99
GetSystemMenu.USER32 ref: 00007FF72B90EFB8
CharNextW.USER32 ref: 00007FF72B90F002
SetDlgItemTextW.USER32 ref: 00007FF72B90F02C
SetFocus.USER32 ref: 00007FF72B90F03B

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: EnableItemMenuWindow$CharDestroyFocusNextSystemText
String ID:
API String ID: 1812101388-0
Opcode ID: 9ad82370c2f20138d4384038108ab96d09581fd33f7c2d60a9c2cb9bee2a705e
Instruction ID: 3086027e9d881e95c5a9389fa8c7b38db4d7b739ad85ebc3a3745eeb43cd6aa5
Opcode Fuzzy Hash: 9ad82370c2f20138d4384038108ab96d09581fd33f7c2d60a9c2cb9bee2a705e
Instruction Fuzzy Hash: DF316F35E18A42CAF7506B19AC40174FAA4FB9AB80FD99431CE8E47774CF3CE4419B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90FE0C, Relevance: 9.3, APIs: 6, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5459812730bc5f8edcb16be93eeac25d08fe202c385c4a76f4d8e42298880c44
Instruction ID: d9b8564ac464a59e84f9d340815c8b380f547a8395f0922f6b30d09177e39097
Opcode Fuzzy Hash: 5459812730bc5f8edcb16be93eeac25d08fe202c385c4a76f4d8e42298880c44
Instruction Fuzzy Hash: 89D1B562F19642CAEB11AF18DC112B9B760FB45B84FD49132CE9E232A4DF3DE545DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9037E8, Relevance: 9.1, APIs: 6, Instructions: 131windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?,?,?,?,?,FFFFFFEC,00000000,?,00007FF72B90ED58), ref: 00007FF72B903810
SendMessageW.USER32(?,?,?,?,?,?,?,?,FFFFFFEC,00000000,?,00007FF72B90ED58), ref: 00007FF72B903831
SendMessageW.USER32 ref: 00007FF72B9038C9
SendMessageW.USER32 ref: 00007FF72B9038F6
SendMessageW.USER32 ref: 00007FF72B90397C
SendMessageW.USER32 ref: 00007FF72B903A02

Part of subcall function 00007FF72B912434: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B912472

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: MessageSend$CreateDestroyInstanceWindow
String ID:
API String ID: 2293694912-0
Opcode ID: 7a35bc669f7bc77a4cd38f2090d68a54cf04a38a341ec3273df228e13b34f778
Instruction ID: a08d2b65ff4c22115a3f8d0ff96d4bcbfc7cdda63e0f8408a9db4b92afa91098
Opcode Fuzzy Hash: 7a35bc669f7bc77a4cd38f2090d68a54cf04a38a341ec3273df228e13b34f778
Instruction Fuzzy Hash: 43516436B18A41CAEB10EF19EC41AA8BB60FB99745FC56135D98D87B64CF3CD1458F20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FD3C8, Relevance: 9.1, APIs: 6, Instructions: 110windowmemoryCOMMON

Download Yara Rule

APIs

wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FD403
wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FD427
LocalAlloc.KERNEL32 ref: 00007FF72B8FD440
MessageBoxW.USER32 ref: 00007FF72B8FD4E1
LocalFree.KERNEL32 ref: 00007FF72B8FD4F2
MessageBoxW.USER32 ref: 00007FF72B8FD50E

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: LocalMessagewcsnlen$AllocFree
String ID:
API String ID: 4016091692-0
Opcode ID: 8f1c56fe61170f4c6d82ebde5f95a0caef2c6d0e6c087b44075e1cc02230ff5f
Instruction ID: ed7581f299fda2e222835ef587f6e48e546c7138437a1046212c92e2040a2893
Opcode Fuzzy Hash: 8f1c56fe61170f4c6d82ebde5f95a0caef2c6d0e6c087b44075e1cc02230ff5f
Instruction Fuzzy Hash: D7418E22E09741C6EA106F1AA804139F6A1FFA9F85BD49430DF4E47364EE3CF4619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B900360, Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF72B9003D4

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 7f0b120ea91feeb67977716628403d5ab924ca998ea5c2519390a9e16c282540
Instruction ID: ba7690368f9bff5e09c322230bb485ea9042ed21528a3934359037be692e8796
Opcode Fuzzy Hash: 7f0b120ea91feeb67977716628403d5ab924ca998ea5c2519390a9e16c282540
Instruction Fuzzy Hash: B8316D32618B86CBD3209F1AA844669FBA5F78DB90F955235DE8E43B24DF3CE445DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F673C, Relevance: 9.1, APIs: 6, Instructions: 83threadtimeCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF72B8F67A3
CreateThreadpoolTimer.KERNEL32 ref: 00007FF72B8F67FA
GetLastError.KERNEL32 ref: 00007FF72B8F6812
SetLastError.KERNEL32 ref: 00007FF72B8F682A
SetThreadpoolTimer.KERNEL32 ref: 00007FF72B8F6859
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF72B8F6871

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ErrorExclusiveLastLockThreadpoolTimer$AcquireCreateRelease
String ID:
API String ID: 117860038-0
Opcode ID: 8474d3e4229c47791c521839211181dcefb8debf01fb96103a9dfc472595066d
Instruction ID: c550521385b3757865125a1fc358f8182130cf6d5ea79d5c0f2a94a28636c3fe
Opcode Fuzzy Hash: 8474d3e4229c47791c521839211181dcefb8debf01fb96103a9dfc472595066d
Instruction Fuzzy Hash: 0F319322A18781CAE760AB25A840139FBA0FB59B90FC45235DE8D03B64DF3CF461CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F7028, Relevance: 9.1, APIs: 6, Instructions: 76threadtimeCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF72B8F707C
CreateThreadpoolTimer.KERNEL32 ref: 00007FF72B8F70C5
GetLastError.KERNEL32 ref: 00007FF72B8F70DD
SetLastError.KERNEL32 ref: 00007FF72B8F70F5
SetThreadpoolTimer.KERNEL32 ref: 00007FF72B8F712A
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF72B8F7142

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ErrorExclusiveLastLockThreadpoolTimer$AcquireCreateRelease
String ID:
API String ID: 117860038-0
Opcode ID: 08fd87acd06f7e49d55c623870f8d8ca2a4f3736c58bb87430829173edec6092
Instruction ID: 558477bbefca0915b3509d61e8fda8396e667eb9a9caf903bd62d858594e8e77
Opcode Fuzzy Hash: 08fd87acd06f7e49d55c623870f8d8ca2a4f3736c58bb87430829173edec6092
Instruction Fuzzy Hash: 7E316F35A08B41DBFB116F29A840279EB60FB95B90FC89130DE4D03B64DF3CE4A99B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F6058, Relevance: 9.1, APIs: 6, Instructions: 76COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 00007FF72B8F6079
ReleaseSRWLockShared.KERNEL32 ref: 00007FF72B8F6099
EnterCriticalSection.KERNEL32 ref: 00007FF72B8F60B9
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF72B8F60C8
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF72B8F6120
LeaveCriticalSection.KERNEL32 ref: 00007FF72B8F6145

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Lock$AcquireCriticalExclusiveReleaseSectionShared$EnterLeave
String ID:
API String ID: 3221859647-0
Opcode ID: 7c087d334c52c9c59e6380833283053256dff1cc3d03c912f71d724a765cb576
Instruction ID: 283dc6adf0d7306aa04745dc76bec39dd6e0abb63c3ea4b89603aff17e9ceabe
Opcode Fuzzy Hash: 7c087d334c52c9c59e6380833283053256dff1cc3d03c912f71d724a765cb576
Instruction Fuzzy Hash: 44317F62B18A51CAEA116F15A900179FB61FB99FD0BC99230DE4E17B24CF3CE495CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9102C8, Relevance: 9.1, APIs: 6, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF72B910321
GlobalLock.KERNEL32 ref: 00007FF72B910334
GlobalLock.KERNEL32 ref: 00007FF72B910351
CreateDCW.GDI32 ref: 00007FF72B910379
GlobalUnlock.KERNEL32(?,?,?,00007FF72B910582), ref: 00007FF72B91038F
GlobalUnlock.KERNEL32(?,?,?,00007FF72B910582), ref: 00007FF72B9103A7

Part of subcall function 00007FF72B8FDC80: SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B8FDC94
Part of subcall function 00007FF72B8FDC80: SetThreadDpiAwarenessContext.USER32 ref: 00007FF72B8FDCB7

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Global$AwarenessContextLockThreadUnlock$CreateMessage
String ID:
API String ID: 2654941827-0
Opcode ID: 17a1fc3f85381ab1e3b4d03d52c5a54b7720e26b7c8eab082f24ede78446b615
Instruction ID: b428649962c2fc1ffc0f496c02097f2fb9595fc6f048da067fc4d27cd84b7c72
Opcode Fuzzy Hash: 17a1fc3f85381ab1e3b4d03d52c5a54b7720e26b7c8eab082f24ede78446b615
Instruction Fuzzy Hash: BA213021A19A42CFEA04AB59EC54578F7A0FF89B84BC69131C98E53270DF3CE455EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F55AC, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 291COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,onecore\internal\sdk\inc\wil/Staging.h,00007FF72B8F51BD), ref: 00007FF72B8F562A

Part of subcall function 00007FF72B8F52EC: memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,onecore\internal\sdk\inc\wil/Staging.h,00000000,?,00000000,?,00007FF72B8F57E5), ref: 00007FF72B8F5467

_o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,onecore\internal\sdk\inc\wil/Staging.h,00007FF72B8F51BD), ref: 00007FF72B8F58BC
_o__invalid_parameter_noinfo.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,onecore\internal\sdk\inc\wil/Staging.h,00007FF72B8F51BD), ref: 00007FF72B8F58CE
_o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,onecore\internal\sdk\inc\wil/Staging.h,00007FF72B8F51BD), ref: 00007FF72B8F58DF

Strings

onecore\internal\sdk\inc\wil/Staging.h, xrefs: 00007FF72B8F55BB

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: _o__errnomemcmp$_o__invalid_parameter_noinfo
String ID: onecore\internal\sdk\inc\wil/Staging.h
API String ID: 859076816-4099157372
Opcode ID: 8f0934418c359f349685027090f3cc3e5fe48846a02656393a4b2669eaf1498d
Instruction ID: f20e4711817466a1bebd47a9b99d305a9396d96ff92417fd6b7f65cb66c6f43a
Opcode Fuzzy Hash: 8f0934418c359f349685027090f3cc3e5fe48846a02656393a4b2669eaf1498d
Instruction Fuzzy Hash: 83C1A662F1465189EB24EFB598002FD67B1FB24788FD44036DE4D27B69DF38A451CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F3F58, Relevance: 9.0, APIs: 7, Instructions: 207memoryCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8F3F96

Part of subcall function 00007FF72B8F3DF4: GetModuleHandleW.KERNEL32 ref: 00007FF72B8F3E23
Part of subcall function 00007FF72B8F3DF4: GetProcAddress.KERNEL32 ref: 00007FF72B8F3E40

GetProcessHeap.KERNEL32 ref: 00007FF72B8F4031
HeapFree.KERNEL32 ref: 00007FF72B8F4045
GetProcessHeap.KERNEL32 ref: 00007FF72B8F4051
HeapAlloc.KERNEL32 ref: 00007FF72B8F4065
GetProcessHeap.KERNEL32 ref: 00007FF72B8F4219
HeapFree.KERNEL32 ref: 00007FF72B8F422D

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Heap$Process$Free$AddressAllocHandleModuleProcmemset
String ID:
API String ID: 2903015918-0
Opcode ID: 3b8c0deba00ad8c18a03b1b41023549990ba36109af67922b5846e8fe0d52574
Instruction ID: db5f7be3acebc5ef81cba7773ef61a89ccee30cb1e1ab59eb1e5a565a140e5ce
Opcode Fuzzy Hash: 3b8c0deba00ad8c18a03b1b41023549990ba36109af67922b5846e8fe0d52574
Instruction Fuzzy Hash: CB916432A14B518AEB20DF69E8405BDB7B0F798B48B884136DF8E53764DF38E195CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FEEC4, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FEF90

Part of subcall function 00007FF72B8FFBB0: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00007FF72B8F98A0), ref: 00007FF72B8FFC2D

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FF00C
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FF09A

Part of subcall function 00007FF72B8FDCD8: GetLastError.KERNEL32 ref: 00007FF72B8FDD02
Part of subcall function 00007FF72B8FDCD8: CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FDD13
Part of subcall function 00007FF72B8FDCD8: SetLastError.KERNEL32 ref: 00007FF72B8FDD21

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FF0F4

Strings

onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h, xrefs: 00007FF72B8FEFAC, 00007FF72B8FF024, 00007FF72B8FF083, 00007FF72B8FF146

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Task$Free$ErrorLast$Alloc
String ID: onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h
API String ID: 3148345226-1752416456
Opcode ID: 9e432260b04d99bd4ef2a76f0dbaba5a13c475b106532a38d882f0fce19f5f20
Instruction ID: 6c6eb7b2aa864008ccabb8f65974ddaca5b112a4d1a27cce745c244e51d12fd4
Opcode Fuzzy Hash: 9e432260b04d99bd4ef2a76f0dbaba5a13c475b106532a38d882f0fce19f5f20
Instruction Fuzzy Hash: BB71B422719A4685EA25EF19EC902B9A760FFD8B84FC44031EA8E47774DF3CE551CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90FCD0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32 ref: 00007FF72B90FD2A
SetDlgItemTextW.USER32 ref: 00007FF72B90FD3E
SendDlgItemMessageW.USER32 ref: 00007FF72B90FD6C
GetDlgItemTextW.USER32 ref: 00007FF72B90FDD7

Strings

https://go.microsoft.com/fwlink/p/?linkid=838060, xrefs: 00007FF72B90FD9B

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Item$MessageSendText
String ID: https://go.microsoft.com/fwlink/p/?linkid=838060
API String ID: 3392263854-3259131482
Opcode ID: 0bf8e11640e445807c5102bdaabf3ff3f9dfa4b1e3089b2df6762f68868cc8bb
Instruction ID: 47690bb09c4f85370edb51efadd7ac24f0a929e0337800253c79a273080b58d5
Opcode Fuzzy Hash: 0bf8e11640e445807c5102bdaabf3ff3f9dfa4b1e3089b2df6762f68868cc8bb
Instruction Fuzzy Hash: 05319131A08681C7F7205B19E944379EB61FB89B84F958531CA8947BA8CF3CE5459B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90E3A0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrywindowCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 00007FF72B90E3DF
LoadIconW.USER32 ref: 00007FF72B90E3FD
LoadImageW.USER32 ref: 00007FF72B90E442
RegisterClassExW.USER32 ref: 00007FF72B90E495

Strings

Notepad, xrefs: 00007FF72B90E463

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Load$ClassCursorIconImageRegister
String ID: Notepad
API String ID: 2097758932-311999004
Opcode ID: 69bea1f71d297bfa9ecbf2b7a90ff58e48320d996e8aa0ee86e2fa0fdc900dd8
Instruction ID: 85a8af7e09bca3052afe4a45f5e3642f0de763169f4b324224eefe1e1e4baaf9
Opcode Fuzzy Hash: 69bea1f71d297bfa9ecbf2b7a90ff58e48320d996e8aa0ee86e2fa0fdc900dd8
Instruction Fuzzy Hash: FE316B32A14F01CAD7109F24E8843ACB7A8FB88B48F858139DA8D53B54DF39E965C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B910544, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70windowCOMMON

Download Yara Rule

APIs

SetCursor.USER32 ref: 00007FF72B910568
SetCursor.USER32 ref: 00007FF72B91059C
GetLastError.KERNEL32 ref: 00007FF72B9105EC
FormatMessageW.KERNEL32 ref: 00007FF72B910622

Part of subcall function 00007FF72B9102C8: MessageBoxW.USER32 ref: 00007FF72B910321

Strings

0, xrefs: 00007FF72B910659

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CursorMessage$ErrorFormatLast
String ID: 0
API String ID: 405598114-4108050209
Opcode ID: dab7530f3b00ed76ea994c1efd162e9b9e38a5b54c74b479e0274a35d187bc4e
Instruction ID: 086c040dd8600aa7c107a83bdf29c6aa17fa684b74a992973dbced243ec2e56f
Opcode Fuzzy Hash: dab7530f3b00ed76ea994c1efd162e9b9e38a5b54c74b479e0274a35d187bc4e
Instruction Fuzzy Hash: D6318461E2DA42CBFA607719AC51779F6A0EF89750FC15231D9DD826B0CF3DE4409E20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9020C4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00007FF72B902110
RegCreateKeyW.ADVAPI32 ref: 00007FF72B90213E
RegSetValueExW.ADVAPI32 ref: 00007FF72B90216F
RegCloseKey.ADVAPI32 ref: 00007FF72B90217F

Strings

Software\Microsoft\Notepad, xrefs: 00007FF72B902130

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Value$CloseCreateQuery
String ID: Software\Microsoft\Notepad
API String ID: 409396109-2830939880
Opcode ID: 086ec40b2efc3f79f33dd0d00a8c6e7486357a3a0616fa0bd7420f738fdcd2c3
Instruction ID: 9293edf2cdd3e7425c7bdd8ed110a5ac4d764ddc3bb96e2f71d4e4734292a616
Opcode Fuzzy Hash: 086ec40b2efc3f79f33dd0d00a8c6e7486357a3a0616fa0bd7420f738fdcd2c3
Instruction Fuzzy Hash: 8F214372A04B41CFEB509F28D8442ACBBA4FB0979CF854631EB9D43B68DB38C558CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F3460, Relevance: 7.7, APIs: 6, Instructions: 205memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF72B8F3545
HeapAlloc.KERNEL32 ref: 00007FF72B8F355C
GetProcessHeap.KERNEL32 ref: 00007FF72B8F3577
GetProcessHeap.KERNEL32 ref: 00007FF72B8F359B
HeapFree.KERNEL32 ref: 00007FF72B8F35AF
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8F36EB

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Heap$Process$AllocFreememset
String ID:
API String ID: 2653029805-0
Opcode ID: 54d9e156b72fb4e1f6a07c5526019c3860cb996dbe0574fd1ecc025deee39d74
Instruction ID: 3526ab4df53b065c8e17a1e4ef9d08eba3eab2d50c9ea520b532d5438b326aa0
Opcode Fuzzy Hash: 54d9e156b72fb4e1f6a07c5526019c3860cb996dbe0574fd1ecc025deee39d74
Instruction Fuzzy Hash: 7D81C0A2A09B8185EA51AF59EA04179F760FB68BC4BD98035CE0D07760DF3CF4B6DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FF2AC, Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FF72B8FF364

Part of subcall function 00007FF72B8FFA28: LocalAlloc.KERNEL32(00000000,?,?,00007FF72B8FF3BB), ref: 00007FF72B8FFAA7

Part of subcall function 00007FF72B8FFB28: GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF72B8FF3BB), ref: 00007FF72B8FFB57
Part of subcall function 00007FF72B8FFB28: LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF72B8FF3BB), ref: 00007FF72B8FFB68
Part of subcall function 00007FF72B8FFB28: SetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF72B8FF3BB), ref: 00007FF72B8FFB76

LocalFree.KERNEL32 ref: 00007FF72B8FF3D2
LocalFree.KERNEL32 ref: 00007FF72B8FF465
LocalFree.KERNEL32 ref: 00007FF72B8FF4B3

Strings

onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h, xrefs: 00007FF72B8FF385, 00007FF72B8FF3EF, 00007FF72B8FF44E, 00007FF72B8FF505

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Local$Free$ErrorLast$Alloc
String ID: onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h
API String ID: 3879364810-1752416456
Opcode ID: a3d310d43ec2ac68c443b553cf010351fc326481a47327bed28506c92e2dbc09
Instruction ID: f3a979696a4af0a93d6c27e5c1ed6a4bc4b3527773c049505027071f8b0b5fb7
Opcode Fuzzy Hash: a3d310d43ec2ac68c443b553cf010351fc326481a47327bed28506c92e2dbc09
Instruction Fuzzy Hash: 1F619622B19A4686EA25EF19EC806B9A360FF98B84FC45032DE4D47775CF3CE511CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F5178, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8F55AC: _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,onecore\internal\sdk\inc\wil/Staging.h,00007FF72B8F51BD), ref: 00007FF72B8F58BC

GetProcessHeap.KERNEL32 ref: 00007FF72B8F522D
HeapFree.KERNEL32 ref: 00007FF72B8F5241
GetProcessHeap.KERNEL32 ref: 00007FF72B8F525D
HeapFree.KERNEL32 ref: 00007FF72B8F5271

Strings

onecore\internal\sdk\inc\wil/Staging.h, xrefs: 00007FF72B8F515E

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Heap$FreeProcess$_o__errno
String ID: onecore\internal\sdk\inc\wil/Staging.h
API String ID: 1235431766-4099157372
Opcode ID: f74f02d23f3553339fa86f5639a1035ed8109d9e227bdeaa0cffafc499ed075e
Instruction ID: 157b7f21876a77bb9d9f07dab89950a08055f1fde8a2dcafd173d8e82bb3b529
Opcode Fuzzy Hash: f74f02d23f3553339fa86f5639a1035ed8109d9e227bdeaa0cffafc499ed075e
Instruction Fuzzy Hash: 2141A672A14B8185DB10EF29A8446ADB7A1FB9AFC4FD49231DE4C13766CF38E491CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9103D4, Relevance: 7.6, APIs: 5, Instructions: 81memorywindowCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF72B91043C
LocalFree.KERNEL32 ref: 00007FF72B910490
CreateDCW.GDI32 ref: 00007FF72B9104CF
LocalFree.KERNEL32 ref: 00007FF72B9104E1
MessageBoxW.USER32 ref: 00007FF72B91051C

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Local$Free$AllocCreateMessage
String ID:
API String ID: 1500861735-0
Opcode ID: e3d065af1f205b251beb90ec1e394f9f6dd3175bd0d003a7c690e1c51708c70a
Instruction ID: 5419b85f44b8e0924736b7b5443e969964c86bce3fdfd7582e87cbe310e8f173
Opcode Fuzzy Hash: e3d065af1f205b251beb90ec1e394f9f6dd3175bd0d003a7c690e1c51708c70a
Instruction Fuzzy Hash: AC412D32A18A42CBE710AF19E844579FBA0FBCAB85B959031DA8D53764EF3DE4049F10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FB15C, Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF72B8FB192
LoadStringW.USER32 ref: 00007FF72B8FB1E9
FormatMessageW.KERNEL32 ref: 00007FF72B8FB230
#345.COMCTL32 ref: 00007FF72B8FB259
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FB282

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: #345FormatFreeLoadMessageStringTaskmemset
String ID:
API String ID: 2015745548-0
Opcode ID: 970465d36e85b2f3f92ff1aec6d742661e5a0a590dd413fc4f9b83780c0ba9fd
Instruction ID: 7e04086bfd66135f957b86001a5b02071c9827c6fb192e36daf9a4c88401bbf8
Opcode Fuzzy Hash: 970465d36e85b2f3f92ff1aec6d742661e5a0a590dd413fc4f9b83780c0ba9fd
Instruction Fuzzy Hash: 83311732618B86CBE7109B59E8403AAB7B4FB89744F945025EA8D47A68DF3CE514CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90EA40, Relevance: 7.6, APIs: 5, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF72B90EA71
SendMessageW.USER32 ref: 00007FF72B90EA8F
LocalLock.KERNEL32 ref: 00007FF72B90EAB0
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF72B90EAED
LocalUnlock.KERNEL32 ref: 00007FF72B90EAF9

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: LocalMessageSend$LockUnlockmemcpy
String ID:
API String ID: 4230444973-0
Opcode ID: a9f68d4b661027cc416732db320e32ef3ac464a497b7521188ed25035e29a5ad
Instruction ID: cdb437598405f9c7184a7127220d57749f83d54de011a136f3415e2d1e0d8c7a
Opcode Fuzzy Hash: a9f68d4b661027cc416732db320e32ef3ac464a497b7521188ed25035e29a5ad
Instruction Fuzzy Hash: D3218632A15B42CBDB049F5AE844569FBA0FBC9B81B959135CB4E03764DF38E845CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FFD84, Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

_o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF72B8FFC5A,?,?,?,00007FF72B8F98A0), ref: 00007FF72B8FFDAA
_o__invalid_parameter_noinfo.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF72B8FFC5A,?,?,?,00007FF72B8F98A0), ref: 00007FF72B8FFDBD

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: _o__errno_o__invalid_parameter_noinfo
String ID:
API String ID: 2671245207-0
Opcode ID: ab92233359da45f21528bff55b7c1439a6cc97d236008c3d0212e4f5fe24f5ea
Instruction ID: 784df1f58b3b32b006b3c080913e18c5febd2c8829e4e1957ac57400712597e8
Opcode Fuzzy Hash: ab92233359da45f21528bff55b7c1439a6cc97d236008c3d0212e4f5fe24f5ea
Instruction Fuzzy Hash: CF01D221E1E6838BFA503B19AD4017DD551EFA5B80FC49030DF0E0B7AAEE2CB4119EA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F6304, Relevance: 7.5, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF72B8F61F7), ref: 00007FF72B8F6325
HeapFree.KERNEL32(?,?,?,00007FF72B8F61F7), ref: 00007FF72B8F6339
GetProcessHeap.KERNEL32(?,?,?,00007FF72B8F61F7), ref: 00007FF72B8F6353
HeapFree.KERNEL32(?,?,?,00007FF72B8F61F7), ref: 00007FF72B8F6367
GetProcessHeap.KERNEL32(?,?,?,00007FF72B8F61F7), ref: 00007FF72B8F6381
HeapFree.KERNEL32(?,?,?,00007FF72B8F61F7), ref: 00007FF72B8F6395

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 825b97cfe70b32361a97c3da66793807158b8ed075c58617446809871d6b1368
Instruction ID: 9a15bbcbde71daffbf057f2a0e29a36eb0462217e40d5c53c9a8c4d243d8aa02
Opcode Fuzzy Hash: 825b97cfe70b32361a97c3da66793807158b8ed075c58617446809871d6b1368
Instruction Fuzzy Hash: E0117331914B81CAE7019B66AA04378FAA1FB8DFD5F88A130CE4D07724DF38A041D610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B912EF0, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF72B912F2F, 00007FF72B912F6F, 00007FF72B912FDD, 00007FF72B913031, 00007FF72B9130B9
Windows.Security.EnterpriseData.FileProtectionManager, xrefs: 00007FF72B912F9D

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CreateReferenceStringWindows
String ID: Windows.Security.EnterpriseData.FileProtectionManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 3143385082-4012696473
Opcode ID: cab17d6a8e78257b25cc9d6fbaeb758a0ec9a6ed767f2c1376087ad4617a4a82
Instruction ID: 633011bbcfc346005ed841a870ae42f756e97dbb02469fc63c8a6ab73aec997b
Opcode Fuzzy Hash: cab17d6a8e78257b25cc9d6fbaeb758a0ec9a6ed767f2c1376087ad4617a4a82
Instruction Fuzzy Hash: E6711F26B28A06DEEB00EB69D8501AC7375FB88B88F809032DE8D57B65DE38D505E750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F476C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8F47E9
GetProcAddress.KERNEL32 ref: 00007FF72B8F4806

Strings

RtlQueryFeatureConfiguration, xrefs: 00007FF72B8F47FC
ntdll.dll, xrefs: 00007FF72B8F47E2

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlQueryFeatureConfiguration$ntdll.dll
API String ID: 1646373207-4111156962
Opcode ID: 67256af9e75498a8e1d9a2ec9c81f651c6b3d9381b56eca433ff99d5938a751a
Instruction ID: 79364337a606d2d1d3d63e5ac994d632d68edb6f91625d0f9eb92966b3ef2b91
Opcode Fuzzy Hash: 67256af9e75498a8e1d9a2ec9c81f651c6b3d9381b56eca433ff99d5938a751a
Instruction Fuzzy Hash: D441A572A29B468BEB559F19EC00665B7E1FB98750F898035DA4E43760EF3CE501CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FED00, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8FFBB0: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00007FF72B8F98A0), ref: 00007FF72B8FFC2D

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FED62
GetModuleFileNameW.KERNEL32 ref: 00007FF72B8FED8F
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FEE20

Strings

onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h, xrefs: 00007FF72B8FEE0A, 00007FF72B8FEE33, 00007FF72B8FEE62

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Task$Free$AllocFileModuleName
String ID: onecore\internal\sdk\inc\wil\opensource/wil/win32_helpers.h
API String ID: 3233965490-1752416456
Opcode ID: bf790d6f7336c317861cc595d6e4d36f08353a284cd1b5d7a7b95726ff9b5d11
Instruction ID: fe4404c1f6b33e23d0284f712eab4335879f966cabcafbf3145f34716e1f2e50
Opcode Fuzzy Hash: bf790d6f7336c317861cc595d6e4d36f08353a284cd1b5d7a7b95726ff9b5d11
Instruction Fuzzy Hash: FA316327B0864686EA10BB19EC000B9E791FF94B81FC84432DA8D43BB4DE7CF5558FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B913178, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

PropVariantClear.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B913249
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B913290
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B9132A7

Strings

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF72B9131BA

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: FreeTask$ClearPropVariant
String ID: shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 3162903231-1113416246
Opcode ID: d365831a6b6541b85e10bc40318d04f47270dcfe78fe877149162512b53e2f6d
Instruction ID: c38903bcc84bda24cdc4e94e6eaab917c28ae0faf4b11372e44f4e24a8c950b9
Opcode Fuzzy Hash: d365831a6b6541b85e10bc40318d04f47270dcfe78fe877149162512b53e2f6d
Instruction Fuzzy Hash: 90418036B28A46DEEB10AF69DC405A8BB70FB88B98B949031DE4E43734DF39D445E750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B913990, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B913A38
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF72B913A77

Strings

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF72B913A8E
Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF72B913A31

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 1966789792-1088074545
Opcode ID: 1137cb141f0ea2834815c254b0d883aae2359644a638e1ad0f5cfa70807ddb48
Instruction ID: b0762e852eacaa41b3a36680cd67fb53d319d8eea34cc1290b0b7a89f27b62eb
Opcode Fuzzy Hash: 1137cb141f0ea2834815c254b0d883aae2359644a638e1ad0f5cfa70807ddb48
Instruction Fuzzy Hash: 52414F21629B46DAEB10AB19E8543A9F370FBC8B84F859132DA8D47774DF3CD144EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F92A8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

IsTextUnicode.ADVAPI32 ref: 00007FF72B8F92ED
MultiByteToWideChar.KERNEL32 ref: 00007FF72B8F9333
GetLastError.KERNEL32 ref: 00007FF72B8F9343

Strings

d, xrefs: 00007FF72B8F9306

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ByteCharErrorLastMultiTextUnicodeWide
String ID: d
API String ID: 160532073-2564639436
Opcode ID: fb0407ecd6cf5c8fae06e560c5e21e6acedf2caa995329a8947b6afb8f904179
Instruction ID: f279a6ad7e947644d400111ad821c1cd271dd4f24461283da1ff733e29442433
Opcode Fuzzy Hash: fb0407ecd6cf5c8fae06e560c5e21e6acedf2caa995329a8947b6afb8f904179
Instruction Fuzzy Hash: 51316D31A0C642C7E7306B19A840679E690EB95B50FD05136EB4E83AF4DB2CE855CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B913B2C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B913B68
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF72B913BA7

Strings

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF72B913BBE
Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF72B913B61

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 1966789792-1088074545
Opcode ID: 671784dec72e2e2964e997f4192f3a7d2b0ec3dde980a2d7a831df274575ebc1
Instruction ID: 79e4f0617b3efaa8719ea9ff377d92f8a4306a6e7ad36228afecf5f63a3708dc
Opcode Fuzzy Hash: 671784dec72e2e2964e997f4192f3a7d2b0ec3dde980a2d7a831df274575ebc1
Instruction Fuzzy Hash: 8C214C22728A46DAEB10EB29E8543B9A371FBC8B84F919132DA8D47774CF3CD441DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9137A0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B9137DC
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF72B91381B

Strings

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF72B913832
Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF72B9137D5

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 1966789792-1088074545
Opcode ID: 5811a7de13778b3230d11143fbf0f319fb50724021e282346e36344630e43ecd
Instruction ID: d597cd7abbdcdac35e158d0e94d07529817b275b44e8bd17d69cda8e2cfc67a1
Opcode Fuzzy Hash: 5811a7de13778b3230d11143fbf0f319fb50724021e282346e36344630e43ecd
Instruction Fuzzy Hash: C9215E22B28A46DAEB10EB19E8543B9A371FBC8B84F959132DA8D47774CF3CD441DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B912E14, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B912E49
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF72B912E6E

Strings

shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp, xrefs: 00007FF72B912E85
Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF72B912E42

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager$shell\osshell\accesory\common\edpapphelper\edpapphelper.cpp
API String ID: 1966789792-1088074545
Opcode ID: 14604f2c01c8dfabc667f165bb9e4d7b4ee73db3a4be538feab967074ea88441
Instruction ID: 905f0b89f9d6eee46a613cac169f689e5bde26fa6f9c67d68f8aee8e6d1f448e
Opcode Fuzzy Hash: 14604f2c01c8dfabc667f165bb9e4d7b4ee73db3a4be538feab967074ea88441
Instruction Fuzzy Hash: BE215021B28A06CAEB10EB19D8543B9B760FBC8B84F905132DA8D47774DF3DD545DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B911660, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8FFBB0: CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00007FF72B8F98A0), ref: 00007FF72B8FFC2D

RegisterApplicationRestart.KERNEL32 ref: 00007FF72B9116AC
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,00000001,00007FF72B90369B), ref: 00007FF72B9116E3

Strings

RestartByRestartManager:, xrefs: 00007FF72B91166D
shell\osshell\accesory\notepad\nprestart.cpp, xrefs: 00007FF72B9116C8

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Task$AllocApplicationFreeRegisterRestart
String ID: RestartByRestartManager:$shell\osshell\accesory\notepad\nprestart.cpp
API String ID: 1630650924-2284408686
Opcode ID: 4262926be94cd1da5739eecef95dac49ef682a641eda92a09b35fdafa48008e5
Instruction ID: 0bfe20f504e361f0c308ece9d7e07a2d62f8b00cc7a15075ef9f17d547546044
Opcode Fuzzy Hash: 4262926be94cd1da5739eecef95dac49ef682a641eda92a09b35fdafa48008e5
Instruction Fuzzy Hash: E001D622B28643D6EB00AB1AEC105BAE651EFD4BC0F886031D98E43774DE3DE5859F50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F3D60, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8F3D96
GetProcAddress.KERNEL32 ref: 00007FF72B8F3DB3

Strings

ntdll.dll, xrefs: 00007FF72B8F3D8F
RtlDisownModuleHeapAllocation, xrefs: 00007FF72B8F3DA9

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDisownModuleHeapAllocation$ntdll.dll
API String ID: 1646373207-704576883
Opcode ID: b0a861913c3694a91a1e5fa372cf1588ba86ab1b2f66e1381138d881dbe9c37b
Instruction ID: ba01685a40db741e9d0fe7dc432b6946f2b7911a9a2ec9508424159038772088
Opcode Fuzzy Hash: b0a861913c3694a91a1e5fa372cf1588ba86ab1b2f66e1381138d881dbe9c37b
Instruction Fuzzy Hash: 84011A20A19B42CAEE05AB0AFC84165F6A0FF88B84BC49175D98D43734EF3CF4559B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F3C60, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8F3C8D
GetProcAddress.KERNEL32 ref: 00007FF72B8F3CAA

Strings

ntdll.dll, xrefs: 00007FF72B8F3C86
RtlNtStatusToDosErrorNoTeb, xrefs: 00007FF72B8F3CA0

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlNtStatusToDosErrorNoTeb$ntdll.dll
API String ID: 1646373207-1321910969
Opcode ID: 2ce9a5ca2821297fb50248740b7907f3621fd2095108a5eb919d9a478203ba96
Instruction ID: 1cfd0fafd86f8e62f5864c1f5e0cdd600ed92eb1d8fb69355a344e1276a0ab4b
Opcode Fuzzy Hash: 2ce9a5ca2821297fb50248740b7907f3621fd2095108a5eb919d9a478203ba96
Instruction Fuzzy Hash: 03F0F620A19B42CAEE05AB0DEC84174B2A1FF88744BC59075CA8D42330EF3CF4559A20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F3CE0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8F3D07
GetProcAddress.KERNEL32 ref: 00007FF72B8F3D24

Strings

ntdll.dll, xrefs: 00007FF72B8F3D00
RtlDllShutdownInProgress, xrefs: 00007FF72B8F3D1A

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDllShutdownInProgress$ntdll.dll
API String ID: 1646373207-582119455
Opcode ID: 2c0934975e5bc364a1a0a00984a27c75152587989ec7d54960f497c7e2becca9
Instruction ID: c839e15843f7240ecbefb95a272186401bd482c3ffcdd4b7b9abfeb22305ff77
Opcode Fuzzy Hash: 2c0934975e5bc364a1a0a00984a27c75152587989ec7d54960f497c7e2becca9
Instruction Fuzzy Hash: 5BF09720E1AB02CEEA157F59EC451B0B7A0FFA9701BC5A175C98D07370EF3CB5559A60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F4CF0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8F4D18
GetProcAddress.KERNEL32 ref: 00007FF72B8F4D35

Strings

ntdll.dll, xrefs: 00007FF72B8F4D11
RtlUnregisterFeatureConfigurationChangeNotification, xrefs: 00007FF72B8F4D2B

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlUnregisterFeatureConfigurationChangeNotification$ntdll.dll
API String ID: 1646373207-1836318313
Opcode ID: 28de1c808d372a9417fe283310ac5c7641b7f79e2204b257c291048f3d752c66
Instruction ID: 9ee2f067f84e1d65de3105ea2ed3b8eabf86a03d7915122669028491c9255728
Opcode Fuzzy Hash: 28de1c808d372a9417fe283310ac5c7641b7f79e2204b257c291048f3d752c66
Instruction Fuzzy Hash: ADF0A920E1AB06CAFE05BB09AC44170B7A0FF99B55BC99175C98D06370EF3CB1559A60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F4C7C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8F4CA4
GetProcAddress.KERNEL32 ref: 00007FF72B8F4CC1

Strings

ntdll.dll, xrefs: 00007FF72B8F4C9D
RtlUnsubscribeWnfNotificationWaitForCompletion, xrefs: 00007FF72B8F4CB7

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlUnsubscribeWnfNotificationWaitForCompletion$ntdll.dll
API String ID: 1646373207-368597124
Opcode ID: 83d9c252ac964497717aea220aae900edc2b434939c906b212475c540b3d269e
Instruction ID: c95b14042b3bdb99e0f3b8d50329a2199b7d22069aebc26e42be06c7fb30509d
Opcode Fuzzy Hash: 83d9c252ac964497717aea220aae900edc2b434939c906b212475c540b3d269e
Instruction Fuzzy Hash: F8F0BD24E1AB06CAEE15AB4EEC44170A7A0FF99745BC96175C98D06370EF3CB055DA20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F27C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF72B8F27DF
GetProcAddress.KERNEL32 ref: 00007FF72B8F27F5

Strings

kernelbase.dll, xrefs: 00007FF72B8F27D5
RaiseFailFastException, xrefs: 00007FF72B8F27EE

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: 48d0bc579d63c4e7cfea927019cd231a443076e71b80217c0f3d45544442a5bc
Instruction ID: 68f20b2d6bedfbac466aca851fceee2d2f134117193cd61993ee15862e7fdaae
Opcode Fuzzy Hash: 48d0bc579d63c4e7cfea927019cd231a443076e71b80217c0f3d45544442a5bc
Instruction Fuzzy Hash: F8F0BD21A29691CAE6045F06F844065E661FB89BC0BC4A135DA8E07B68DF2CD455DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F48F4, Relevance: 6.3, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF72B8F492B
HeapAlloc.KERNEL32 ref: 00007FF72B8F493F
GetProcessHeap.KERNEL32 ref: 00007FF72B8F495A
GetProcessHeap.KERNEL32 ref: 00007FF72B8F49A5
HeapFree.KERNEL32 ref: 00007FF72B8F49B9

Part of subcall function 00007FF72B8F1FF4: _o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF72B8F2011
Part of subcall function 00007FF72B8F1FF4: _o__invalid_parameter_noinfo.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF72B8F2024

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Heap$Process$AllocFree_o__errno_o__invalid_parameter_noinfo
String ID:
API String ID: 2883572028-0
Opcode ID: f4b1a9164b5d7c4b4bd4965cbf620c628e5f42759474ec9670633fa2f50553b1
Instruction ID: 9c91827d9f2db77f7d956e74e282739b8430b842f79933f155e4c6b8ce60dc2a
Opcode Fuzzy Hash: f4b1a9164b5d7c4b4bd4965cbf620c628e5f42759474ec9670633fa2f50553b1
Instruction Fuzzy Hash: FE217C36A14F41CADB04AF6AE940068B7A4FB99FD4B889236CE5D07765CF38E062C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F63B4, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72B8F68A0: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF72B8F63E6), ref: 00007FF72B8F68FF
Part of subcall function 00007FF72B8F68A0: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF72B8F63E6), ref: 00007FF72B8F6923

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF72B8F6421
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF72B8F6475
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF72B8F64BA
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF72B8F64D6

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 7fca9310fbc80823f69c121ddedefa8c621d39d737d8e4e55953743f632b2d19
Instruction ID: bc85384077d42acdaacc577af1a5d3956fafa83231f9c34f7d165e8b1e461ea7
Opcode Fuzzy Hash: 7fca9310fbc80823f69c121ddedefa8c621d39d737d8e4e55953743f632b2d19
Instruction Fuzzy Hash: C6316F21E0864286FA20BF19A980279F790FB75B80FD85131DA4D037A1CF2DF4A5CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F6950, Relevance: 6.0, APIs: 4, Instructions: 46threadtimeCOMMON

Download Yara Rule

APIs

CreateThreadpoolTimer.KERNEL32 ref: 00007FF72B8F6987
GetLastError.KERNEL32(?,?,?,00007FF72B8F64CE), ref: 00007FF72B8F699F

Part of subcall function 00007FF72B8F84B8: SetThreadpoolTimer.KERNEL32(?,?,?,00007FF72B8F82E8), ref: 00007FF72B8F84C9
Part of subcall function 00007FF72B8F84B8: WaitForThreadpoolTimerCallbacks.KERNEL32(?,?,?,00007FF72B8F82E8), ref: 00007FF72B8F84DD

SetLastError.KERNEL32(?,?,?,00007FF72B8F64CE), ref: 00007FF72B8F69B7
SetThreadpoolTimer.KERNEL32(?,?,?,00007FF72B8F64CE), ref: 00007FF72B8F69EC

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ThreadpoolTimer$ErrorLast$CallbacksCreateWait
String ID:
API String ID: 1675045912-0
Opcode ID: 76998cd62448d3d39e1a8054bed810b7c8b4d3ba8f7fa196e95bc56536fb0a0b
Instruction ID: 19cac55b53d917712a1c29dff4750fe2cbf07243da17bb5fd61982c4b544571d
Opcode Fuzzy Hash: 76998cd62448d3d39e1a8054bed810b7c8b4d3ba8f7fa196e95bc56536fb0a0b
Instruction Fuzzy Hash: 85118422B18B91CBE710AB29A84017DBA60FB55F80FC49230DE8D07B64CF3DE465CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F5FB8, Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF72B8F5FD9
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF72B8F5FE8
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF72B8F601F
LeaveCriticalSection.KERNEL32 ref: 00007FF72B8F6033

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CriticalExclusiveLockSection$AcquireEnterLeaveRelease
String ID:
API String ID: 1115728412-0
Opcode ID: 3a39090eb9dc4828f58b7e8b9f1fcab9880cd8098a5390b615f6697595bc5d86
Instruction ID: 1d018d806f4ac641f60098bc6b0029e640250cdf2f62a0518c935bd25ffb7e5d
Opcode Fuzzy Hash: 3a39090eb9dc4828f58b7e8b9f1fcab9880cd8098a5390b615f6697595bc5d86
Instruction Fuzzy Hash: 6C014462A14B82C6DA145B25A950079E761FF99FC1798A231DE4E13724DF3CE491CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B90EE80, Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF72B90EE9F
IsDialogMessageW.USER32 ref: 00007FF72B90EEC0
TranslateMessage.USER32 ref: 00007FF72B90EED5
DispatchMessageW.USER32 ref: 00007FF72B90EEE6

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: db6c2f0df82b361cd8660d9da5f869d297314cff3419e05836c5597ff0ce09ca
Instruction ID: 1fde63d6052da1ad8bf458aaac31ba9f141f98328e5ef7e47b8accafaf43e6ae
Opcode Fuzzy Hash: db6c2f0df82b361cd8660d9da5f869d297314cff3419e05836c5597ff0ce09ca
Instruction Fuzzy Hash: AF01E121E29946CBE750AF18EC44675FA54FFA5B41FC5A431DA8E42A70DF3CE404DE20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FC070, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,00007FF72B901B71), ref: 00007FF72B8FC07D
OpenProcessToken.ADVAPI32 ref: 00007FF72B8FC094
GetTokenInformation.ADVAPI32 ref: 00007FF72B8FC0C4
CloseHandle.KERNEL32(?,?,?,?,?,00007FF72B901B71), ref: 00007FF72B8FC0DC

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: ef7cb3755e8f09ef77ce0c0b5c25dd5c7094862bf0735327f92b98f78e6b5b9e
Instruction ID: 5e62df6c76e7b3940bdc636a5efce49d1fa7fb3f110e2ac75c4001d75f1ce4fb
Opcode Fuzzy Hash: ef7cb3755e8f09ef77ce0c0b5c25dd5c7094862bf0735327f92b98f78e6b5b9e
Instruction Fuzzy Hash: F5011A36604B81CBD7009F24E8404AAFBB0FBCAB15B848125DA8D43724CF78D909CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F9DC4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180comCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8F9E0C
PathIsFileSpecW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0 ref: 00007FF72B8F9EFE

Strings

prop:System.Security.EncryptionOwners, xrefs: 00007FF72B8F9E36

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CreateFileInstancePathSpec
String ID: prop:System.Security.EncryptionOwners
API String ID: 4203885736-2773134222
Opcode ID: e93088415847ae4d12fcdd9f003c87568bd16ff919f67b302c5caa7cf1401105
Instruction ID: 35a5dd5384450f5f1ae902d4e49884623973b848cdc53fc6711a40c214e9ce9a
Opcode Fuzzy Hash: e93088415847ae4d12fcdd9f003c87568bd16ff919f67b302c5caa7cf1401105
Instruction Fuzzy Hash: F191EB26B14B16CAEB009B6ADC843A86770FB88B88F859132CF0D57774DF39E445D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B913C34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B913C71
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF72B913CAD

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF72B913C6A

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager
API String ID: 1966789792-1562784004
Opcode ID: 0d5f8cc29e8d6292dccfdd15bd7684412565464f6e207c68aae51fe2997a51e1
Instruction ID: 775bd6faaedddd53a31ff1129809cf383492b3785b4b1c3dec5a945b0f5bc133
Opcode Fuzzy Hash: 0d5f8cc29e8d6292dccfdd15bd7684412565464f6e207c68aae51fe2997a51e1
Instruction Fuzzy Hash: 49313E26B28A46DAFF04AB69DC503BC6370FB84B48F959035CA4E57664CF28D445EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B911538, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CoCreateGuid.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B91156C
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B91161A

Strings

%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 00007FF72B9115D3

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: CreateFreeGuidTask
String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X
API String ID: 2319009263-4283501729
Opcode ID: 123a6ca25202cd6f815e0fb313ff7fec648beafd19847216478cf2f53566d232
Instruction ID: 6f384b46479f8811c7bb311f39906bf06f3a1b3c61a988a94868f52ce31a9ea1
Opcode Fuzzy Hash: 123a6ca25202cd6f815e0fb313ff7fec648beafd19847216478cf2f53566d232
Instruction Fuzzy Hash: 4D3181336196A0CED7509F25E8502A9BBB4F788788F892126FF8E43B54CB38D491DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B910B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00000000,00000000,00007FF72B90E657), ref: 00007FF72B910C5E
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,00000000,00000000,00007FF72B90E657), ref: 00007FF72B910C74

Strings

\Notepad, xrefs: 00007FF72B910C21

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: FreeTask
String ID: \Notepad
API String ID: 734271698-3898563714
Opcode ID: 883eb3ab38e63a6bb79dc25466f8a2f26dbff9db214831c9d9d2436746067c69
Instruction ID: a63f5510ad9ab0b79ffedf5a173e859e45fb10264954bae82953159524d4e65e
Opcode Fuzzy Hash: 883eb3ab38e63a6bb79dc25466f8a2f26dbff9db214831c9d9d2436746067c69
Instruction Fuzzy Hash: 1221B436A18B41C5EB10AF19E8401AAB760FB88B90FD49232DE9D033A4DF3DD551DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B9138A8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF72B9138E5
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF72B913921

Strings

Windows.Security.EnterpriseData.ProtectionPolicyManager, xrefs: 00007FF72B9138DE

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: ActivationCreateFactoryReferenceStringWindows
String ID: Windows.Security.EnterpriseData.ProtectionPolicyManager
API String ID: 1966789792-1562784004
Opcode ID: 41891429762d818e05d2b5ee9234f46b13a8a441304a71c9d5d1e525415997a2
Instruction ID: 51320725688bc0b13d0c328dbc4d6a78331656111a8d13b94800ea0c486e59ee
Opcode Fuzzy Hash: 41891429762d818e05d2b5ee9234f46b13a8a441304a71c9d5d1e525415997a2
Instruction Fuzzy Hash: BA212B22B24A15DAFB00EB69D8943AC6770FB84B48F949036DE8E57765CF38D045DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8FAC0B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 00007FF72B8FAC75
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF72B8FAFC7

Strings

feedback-hub://?tabid=2&contextid=1010, xrefs: 00007FF72B8FAC41

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: FreeIconLoadTask
String ID: feedback-hub://?tabid=2&contextid=1010
API String ID: 2336424503-1864734595
Opcode ID: bf46ae015f07175977de0ce2cd5772f38dbe3b4667242a6681b6c04662e092dc
Instruction ID: 4ec639428b4d8325e40d917e3ff44fc83b3561e6853edec83469b3cbee2569ad
Opcode Fuzzy Hash: bf46ae015f07175977de0ce2cd5772f38dbe3b4667242a6681b6c04662e092dc
Instruction Fuzzy Hash: 39218726E09B42CAEB10AB58EC80279E770FB987A4FC55031CD5D1B374DE3CA0559AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F59A4, Relevance: 5.2, APIs: 4, Instructions: 247memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF72B8F5CB0
HeapFree.KERNEL32 ref: 00007FF72B8F5CC4
GetProcessHeap.KERNEL32 ref: 00007FF72B8F5CF9
HeapFree.KERNEL32 ref: 00007FF72B8F5D0D

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 9c0b6e99a9b077f01694d313a6535a450aa51282ae8a7cd9f110b7a8e042c24b
Instruction ID: ea8de46410d7c807405bbe21a8b084043e1211d5af75b5c6066528a4325102f3
Opcode Fuzzy Hash: 9c0b6e99a9b077f01694d313a6535a450aa51282ae8a7cd9f110b7a8e042c24b
Instruction Fuzzy Hash: 2BB16F32A18B818AE7209F69D8401EDB7F0FB59748F904125EE8D17B69DF38E5A1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F4F48, Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF72B8F4FA5
HeapFree.KERNEL32 ref: 00007FF72B8F4FB9
GetProcessHeap.KERNEL32 ref: 00007FF72B8F4FE6
HeapFree.KERNEL32 ref: 00007FF72B8F4FFA

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: f3d95f25c3677f17425cd205c3ec44b4733bcd8f04721d207ec3a4da860c3f8c
Instruction ID: 781ee4dd2f90881a05993fff7608190fb7301785ba7bad7fc9fdb89028358781
Opcode Fuzzy Hash: f3d95f25c3677f17425cd205c3ec44b4733bcd8f04721d207ec3a4da860c3f8c
Instruction Fuzzy Hash: 9F315C27915F90CAD3428F29A440269BB70F79AF94F18A214CF8C27726DB34E4E2C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF72B8F3714, Relevance: 5.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF72B8F3752
HeapFree.KERNEL32 ref: 00007FF72B8F3766
GetProcessHeap.KERNEL32 ref: 00007FF72B8F378A
HeapFree.KERNEL32 ref: 00007FF72B8F379E

Memory Dump Source

Source File: 00000000.00000002.208559045.00007FF72B8F1000.00000020.00020000.sdmp, Offset: 00007FF72B8F0000, based on PE: true

Associated: 00000000.00000002.208553190.00007FF72B8F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208581067.00007FF72B918000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.208589009.00007FF72B922000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.208594381.00007FF72B925000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff72b8f0000_notepad.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: c6d411492dc7aa51039210e78294f51831ed61ed292aa6c80673049763bd63c2
Instruction ID: 4fdb8ad8de6a6026f5e7f511865052a3c37751d5df42ffb599c17e41f38ca2c6
Opcode Fuzzy Hash: c6d411492dc7aa51039210e78294f51831ed61ed292aa6c80673049763bd63c2
Instruction Fuzzy Hash: 27111C76604B81DADB149F56E8400A9BBB0F78DF80B999135DF8D13B24CF38E5A2D700

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report notepad.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Cryptography:

Compliance:

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: notepad.exe PID: 4904 Parent PID: 5680

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Function 00007FF72B8FC0F8, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 224
windowmemoryCOMMON

Function 00007FF72B8F7834, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 210
synchronizationCOMMON

Function 00007FF72B916040, Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 112
libraryloaderCOMMON

Function 00007FF72B914D80, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165
COMMON

Function 00007FF72B9158B0, Relevance: 13.6, APIs: 9, Instructions: 106
COMMON

Function 00007FF72B902F84, Relevance: 10.6, APIs: 7, Instructions: 115
memoryCOMMON

Function 00007FF72B8F8504, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124
COMMON

Function 00007FF72B8F3040, Relevance: 7.6, APIs: 5, Instructions: 51
synchronizationCOMMON

Function 00007FF72B8FF7CC, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 175
libraryloaderCOMMON

Function 00007FF72B8F6644, Relevance: 6.1, APIs: 4, Instructions: 62
COMMON

Function 00007FF72B8F7610, Relevance: 3.1, APIs: 2, Instructions: 82
COMMON

Function 00007FF72B9157C0, Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Function 00007FF72B8F68A0, Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Function 00007FF72B8F1430, Relevance: 3.0, APIs: 2, Instructions: 42
COMMON

Function 00007FF72B8F8968, Relevance: 3.0, APIs: 2, Instructions: 39
COMMON